Update container-based cleaning hardware manager to use ironic
conductor config.
Note:
- Moved conf variables from __init__ and evaluate_hardware_support
as the config overwritten after those process
- Utilized getattr instead of making methods beforehand. The methods
created don't stick for a new instance.
Partial-Bug: #2100556
Change-Id: I53d5a4f112fbed455d5574840611ef6ea2db3eae
Eventlet patches two things in socket, effectively:
- create_connection
- various greendns things
By adding this environment variable, we're going to disable a large portion of the greened module code in IPA, which will be a boost to our migration off.
Change-Id: I1f94238c8d83f9e7cb0f7e096172ffb7c20c862b
Add file to the reno documentation build to show release notes for
stable/2025.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2025.1.
Sem-Ver: feature
Change-Id: I259249774c39e95b214e77b2ae632c7278e78754
Using prlimits is incompatible with passing arguments as a list:
oslo.concurrency ends up executing something like:
/opt/ironic-python-agent/bin/python3 -m oslo_concurrency.prlimit \
--as=2147483648 -- ['env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', \
'/tmp/cirros-0.6.2-x86_64-disk.img', '--output=json']
Which obviously fails. I don't understand how our CI has worked so far,
but the Metal3 BMO suite fails on this.
Change-Id: I46dbcb0f73bcbe09bb89b5c7195259570412698e
To help ease upgrades to Victoria, IPA had a knob added
to enable operators to express if agent tokens were required
in their deployment. Since then, the feature is required, however
we left the logic enabling the fun upgrade case handling.
At this point, this knob serves no further use, and can be removed.
Change-Id: I202f06e1b6598a802c9853fb99201c55e7a40cb1
In order to support a state of mid-cluster upgrades, IPA had logic
to permit the case of getting a call where we didn't have a token
but got token, which could happen in a deployment which is mid-upgrade.
The code now explicitly lacks that permissive logic because, at this
point, upgrades no longer need to be supported from the pre-victoria
clusters by current IPA.
Related-Bug: #2086865
Related-Bug: #2086866
Change-Id: Ia4c459158098f48cde4a6f6f9c96b25431a88081
This is a second attempt at securing the get command output endpoint
which could have data such as logs which could potentially have
sensitive details and information after the agent has completed
one or more actions.
Now, if a token is receieved, the agent locks out the command results
endpoint, and requires all future calls to include it.
This allows for the agent to be backwards compatible.
Special thanks go to cid for his first attempt at this, which I took
for the basis of some of the testing required.
Closes-Bug: #2086866
Co-Authored-By: cid@gr-oss.io
Change-Id: Ia39a3894ef5efaffd7e1d22cc6244059a32175ff
This reverts commit 6f860995c64d5143d8684a175e3b043bc3bf1f54.
Reason for revert: the change has broken virtually everyone who
has not updated Ironic before IPA. To make the matter worse, the
attached release note is not descriptive and does not explain
the upgrade impact.
The reverted change should be reworked to allow a graceful period.
Change-Id: I2a2a03dd8409af900b938494ceafd45a89e0c197
Securely handle state transition by locking down IPA at the final
stage of rescue operation to prevent restarts on tenant networks.
Closes-Bug: #2086865
Change-Id: I8e1be8da93a8c3fdf3cff7ad386c702d970d15f1
Currently, we only validate authentication tokens for POST but not
for GET requests which could mean anyone can retrieve command results
without authentication. Adding that uniformly across all command-related
endpoints.
Closes-Bug: #2086866
Depends-On: https://review.opendev.org/c/openstack/ironic/+/941607
Change-Id: Ib7f58b1694273beeb25314984c6e049376244d86
One of the "fun" aspects of accessing OCI images, is we have no way
to realistically gain awareness of the underlying disk format in the
OCI model, at least unless it is hinted at in the data model.
Where we're unable to really figure that out is when a user
supplies a specific digest URL. Ironic recognizes this and "right sizes"
the process and data discovery and explicitly notes the disk format it
believe to be 'unknown'.
In order for IPA to be able to stream, and appropriately check
this data format, IPA has be "okay" with 'unknown'. Everything else
appears good to get to this point. This doesn't prohibit the image
safety checking, just allows for the perception mismatch when the
format is 'unknown'
Change-Id: Ibe38245e906c659057a3c5ea7d8a0e474599ff5c
For the OCI artifact retrieval case, to enable authentication to be
passed from the conductor (in the form of a bearer token), we need to
be able to handle the case where this data is present, and then
initiate the connection with the appropriate token.
Change-Id: I380b32671cbc3a640bc5012ac241a7244750d117
Updates the release note for the bootable container work to
clarify the existence of the configuration option which can
be utilized to disable bootable container deployments in the
ramdisk.
Change-Id: I5b269947884c015db38cf98ac782472a62858455
This reverts commit 412c8f3f4dd11d9eddf378e9ec92902195e14306.
Reason for revert: This landed in the wrong branch!
Change-Id: Ia4729c01e3e07f368fe691f91c3a1648a94c6d30
It's useful to have pci bus address/driver collected, the operator can
use the information to configure portgroup in a consistent way.
Change-Id: I432bca881ad881bae6d5e67c9b6fb52fe55b4e1e
Migrated the existing lints to pre-commit and switched some over to ruff
to follow the changes that have landed in the ironic repo.
Change-Id: I361ca1b8d4ac9738f9c45ba6a87c377f5aca22a8
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
