openstack/ironic-python-agent
Code Issues Proposed changes

Provide fallback from ATA erase to shredding

Browse Source 
Presently should the ATA erasure operation fails, IPA halts the
cleaning process and the node goes to CLEANFAIL state as a result.

This failure could be the result of a previous cleaning failure
that left drive security enabled, for which code has been added
in an attempt to address this case by attempting to unlock the
the drive.

In the event that an operator wishes to automatically fallback to
disk scrubbing operations, the capability has been added through
a driver_internal_info field "agent_continue_if_ata_erase_failed"
that can be set to True, however defaults to False keeping the
same behavior that IPA presently exhibits in the event of ATA
erase operations failing.

Partial-Bug: #1536695
Change-Id: I88edd9477f4f05aa55b2fe8efa4bbff1c5573bb1
This commit is contained in:
Julia Kreger
2016-01-21 11:26:44 -05:00
parent dcd1c8f19b
commit ed74a062c1
3 changed files with 251 additions and 18 deletions

56
ironic_python_agent/hardware.py

@ -568,8 +568,25 @@ class GenericHardwareManager(HardwareManager):
block_device.name)
return
if self._ata_erase(block_device):
return
# Note(TheJulia) Use try/except to capture and log the failure
# and then revert to attempting to shred the volume if enabled.
try:
if self._ata_erase(block_device):
return
except errors.BlockDeviceEraseError as e:
info = node.get('driver_internal_info', {})
execute_shred = info.get(
'agent_continue_if_ata_erase_failed', False)
if execute_shred:
LOG.warning('Failed to invoke ata_erase, '
'falling back to shred: %(err)s'
% {'err': e})
else:
msg = ('Failed to invoke ata_erase, '
'fallback to shred is not enabled: %(err)s'
% {'err': e})
LOG.error(msg)
raise errors.IncompatibleHardwareMethodError(msg)
if self._shred_block_device(node, block_device):
return
@ -643,6 +660,20 @@ class GenericHardwareManager(HardwareManager):
if 'supported' not in security_lines:
return False
if 'enabled' in security_lines:
# Attempt to unlock the drive in the event it has already been
# locked by a previous failed attempt.
try:
utils.execute('hdparm', '--user-master', 'u',
'--security-unlock', 'NULL', block_device.name)
security_lines = self._get_ata_security_lines(block_device)
except processutils.ProcessExecutionError as e:
raise errors.BlockDeviceEraseError('Security password set '
'failed for device '
'%(name)s: %(err)s' %
{'name': block_device.name,
'err': e})
if 'enabled' in security_lines:
raise errors.BlockDeviceEraseError(
('Block device {0} already has a security password set'
@ -653,16 +684,29 @@ class GenericHardwareManager(HardwareManager):
('Block device {0} is frozen and cannot be erased'
).format(block_device.name))
utils.execute('hdparm', '--user-master', 'u', '--security-set-pass',
'NULL', block_device.name)
try:
utils.execute('hdparm', '--user-master', 'u',
'--security-set-pass', 'NULL', block_device.name)
except processutils.ProcessExecutionError as e:
raise errors.BlockDeviceEraseError('Security password set '
'failed for device '
'%(name)s: %(err)s' %
{'name': block_device.name,
'err': e})
# Use the 'enhanced' security erase option if it's supported.
erase_option = '--security-erase'
if 'not supported: enhanced erase' not in security_lines:
erase_option += '-enhanced'
utils.execute('hdparm', '--user-master', 'u', erase_option,
'NULL', block_device.name)
try:
utils.execute('hdparm', '--user-master', 'u', erase_option,
'NULL', block_device.name)
except processutils.ProcessExecutionError as e:
raise errors.BlockDeviceEraseError('Erase failed for device '
'%(name)s: %(err)s' %
{'name': block_device.name,
'err': e})
# Verify that security is now 'not enabled'
security_lines = self._get_ata_security_lines(block_device)