)]}'
{"id":"openstack%2Fironic-python-agent~927983","triplet_id":"openstack%2Fironic-python-agent~bugfix%2F9.12~I5254b80717cb5a7f9084e3eff32a00b968f987b7","project":"openstack/ironic-python-agent","branch":"bugfix/9.12","topic":"ossa-2024-003","attention_set":{},"removed_from_attention_set":{"10342":{"account":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"last_update":"2024-09-05 01:30:46.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I5254b80717cb5a7f9084e3eff32a00b968f987b7","subject":"Inspect non-raw images for safety","status":"MERGED","created":"2024-09-04 14:11:19.000000000","updated":"2024-09-05 01:31:46.000000000","submitted":"2024-09-05 01:30:46.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"927983-ossa-2024-003","meta_rev_id":"9a2371205e716121c075babd397910f91b6a5e40","_number":927983,"virtual_id_number":927983,"owner":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2024-09-05 01:30:46.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2024-09-04 23:29:11.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":2,"date":"2024-09-04 21:05:02.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2024-09-04 23:29:11.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true},"Backport-Candidate":{"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-1":"Do Not Backport"," 0":"Backport Review Needed","+1":"Should Backport"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2024-09-04 14:48:36.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2024-09-04 21:05:02.000000000","updated_by":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"reviewer":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"state":"REVIEWER"},{"updated":"2024-09-04 23:29:11.000000000","updated_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"reviewer":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"state":"REVIEWER"}],"messages":[{"id":"2f61b8d130e00a8f38ab5b28deefde32b9cdec82","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 14:11:19.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"099f8b409e45e9d3c9247f7f3fe08883cf9df433","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 14:48:36.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/bea61493090a45d7954b40b85548e37f\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/ac79506f051249fda2a4c8c097e184cc : SUCCESS in 5m 19s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/81ef59f6b07745268b8ec4b44f5f2bf2 : SUCCESS in 3m 22s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/3ce1371cd5be408eafa1689a91514a98 : SUCCESS in 6m 18s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/ea22590da6f4496cb3ab0c8ebb36ce35 : SUCCESS in 2m 42s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/91904167ce07484dba2d7b4e68f39da6 : SUCCESS in 3m 19s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/6ebc1e61363645cca826f1cbbe68c979 : FAILURE in 3m 27s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"019deaa8481aa94bae88bed5d1043453a5538d71","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 15:09:58.000000000","message":"Uploaded patch set 2.\n\nOutdated Votes:\n* Verified+1\n","accounts_in_message":[],"_revision_number":2},{"id":"61d273933ea4e4c9b2e8aa801b58755e5893ae18","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 15:20:16.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/9c2556c92d8e4ab5ba188ad52707ce7c\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/4a221a56a6be4b7bae024f225bfd9690 : SUCCESS in 6m 08s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/512611ca0fcc490cb3f50e470e6461af : SUCCESS in 4m 40s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/50a3c05ad10241109eb2ae31f6054346 : SUCCESS in 7m 01s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/21e22aeac56a4b349f9a098b17069cca : SUCCESS in 3m 42s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/a915c5f3ca6649fcae90bdbbd81f6640 : SUCCESS in 4m 58s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/781b579efb814b688a4846717f8edba1 : FAILURE in 4m 40s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"de02f21d6d1b7dc84f8cd15bfd243a50a11b5925","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 16:22:06.000000000","message":"Uploaded patch set 3: Patch Set 2 was rebased.\n\nOutdated Votes:\n* Verified+1\n","accounts_in_message":[],"_revision_number":3},{"id":"85fc7d75e7176fde675c7016a15813d3ab7da98b","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 16:37:27.000000000","message":"Patch Set 3: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/adcbdc7f95d14ff686002d9d5d404012\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/85b33682f3ab43d0a18d0c148555e5c1 : SUCCESS in 5m 33s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/4826ac37d9e446b684aa8392b5b6babc : SUCCESS in 3m 33s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/f578941a44984870ac0c41e4717705da : SUCCESS in 5m 41s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/3c5d7f7a43b54c0798619b4ae64a3be9 : SUCCESS in 2m 37s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/5421a5b283ce4434971b7d01407b2159 : SUCCESS in 3m 27s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/266f0414ba74447c89b4e90b9783da4a : FAILURE in 3m 10s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"1439479bea51e43f71b6e2407b3b61ab50a582ee","tag":"autogenerated:gerrit:setTopic","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 17:26:06.000000000","message":"Topic set to ossa-2024-003","accounts_in_message":[],"_revision_number":3},{"id":"02e30d5a27d6f3b6f26f8acbc3e2cfc98731ab9a","author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"date":"2024-09-04 21:05:02.000000000","message":"Patch Set 3: Code-Review+2","accounts_in_message":[],"_revision_number":3},{"id":"78d3d787a9af56b9cc7eb00620c154907c117a37","author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"date":"2024-09-04 23:29:11.000000000","message":"Patch Set 3: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":3},{"id":"8368445e3391882448c63c7d5c8baf0a9266a96a","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 23:29:34.000000000","message":"Patch Set 3: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":3},{"id":"21627cdfd756bf8dd315b26690665492bdad4e24","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:30:46.000000000","message":"Patch Set 3: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/1e9e45cb4fa34b1e90bf5f148c736b8d\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/02e20e1fb7484ddd9fd24a2c094b94fd : SUCCESS in 3m 13s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/89f8c76cd72a4bc491131cfbb57eb764 : SUCCESS in 6m 49s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/3bc47d091c4e41e697a4ad3d1e09c59d : SUCCESS in 2m 39s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/23933e00ea3e485a99c30ed8e79bcdb0 : SUCCESS in 3m 19s","accounts_in_message":[],"_revision_number":3},{"id":"5974ee68978a90bdb0e0dd509c522207e8714585","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:30:46.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":3},{"id":"9a2371205e716121c075babd397910f91b6a5e40","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:31:46.000000000","message":"Patch Set 3:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/c03602eaadf84f119cce083bc18b9264\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/e475b181d95a491abdc01860348a5961 : SUCCESS in 36s\n- promote-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/867cedbdfa05486a8414659cd5320c85 : SUCCESS in 40s","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"be8ee50ea1b0fbccf91ea4e4180af1f0e8154cdb","revisions":{"f985f7a7800d6fc9e94caf2219b58b9d6717de11":{"kind":"REWORK","_number":1,"created":"2024-09-04 14:11:19.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/83/927983/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/83/927983/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/1"}}},"commit":{"parents":[{"commit":"cfcec8228e50d00638e1b7df27c9d71e263b90d4","subject":"Update .gitreview for bugfix/9.12","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/cfcec8228e50d00638e1b7df27c9d71e263b90d4"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 14:11:17.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/f985f7a7800d6fc9e94caf2219b58b9d6717de11"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/f985f7a7800d6fc9e94caf2219b58b9d6717de11"}]},"branch":"refs/heads/bugfix/9.12"},"4efa5ce37a6df7785bbfee2385f7f9e94e2e6b87":{"kind":"REWORK","_number":2,"created":"2024-09-04 15:09:58.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/83/927983/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/83/927983/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/2"}}},"commit":{"parents":[{"commit":"cfcec8228e50d00638e1b7df27c9d71e263b90d4","subject":"Update .gitreview for bugfix/9.12","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/cfcec8228e50d00638e1b7df27c9d71e263b90d4"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 15:09:52.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/4efa5ce37a6df7785bbfee2385f7f9e94e2e6b87"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/4efa5ce37a6df7785bbfee2385f7f9e94e2e6b87"}]},"branch":"refs/heads/bugfix/9.12"},"be8ee50ea1b0fbccf91ea4e4180af1f0e8154cdb":{"kind":"TRIVIAL_REBASE","_number":3,"created":"2024-09-04 16:22:06.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/83/927983/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/83/927983/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/83/927983/3"}}},"commit":{"parents":[{"commit":"4822b3203a4a1caf1b40eb650d4ee5b1bf7453f7","subject":"Remove and disable examples job","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/4822b3203a4a1caf1b40eb650d4ee5b1bf7453f7"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 16:21:59.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/be8ee50ea1b0fbccf91ea4e4180af1f0e8154cdb"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/be8ee50ea1b0fbccf91ea4e4180af1f0e8154cdb"}]},"branch":"refs/heads/bugfix/9.12"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"}},{"label":"Backport-Candidate","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{}}},{"name":"Backport-Candidate","description":"Backport candidate status","status":"NOT_APPLICABLE","is_legacy":false,"applicability_expression_result":{"fulfilled":false,"status":"FAIL"},"submittability_expression_result":{"expression":"is:true","fulfilled":true,"status":"NOT_EVALUATED","passing_atoms":[],"failing_atoms":[],"atom_explanations":{}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{}}}]}