Add knob for read-only and "erase_devices"

In https://review.opendev.org/#/c/704725 we merged a change to allow the agent to navigate read-only block devices. By default we always failed on the more secure "erase_devices" clean step as meta-data only erasure still leaves any sensitive information on the storage medium. That being said, it may be operationally okay for read-only devices to be ignored during the "erase_devices" clean step. Only the operator can make that call, and we should enable them to be able to assert that in the configuration to IPA. Change-Id: I475f0215eb0bd149c2d21e6962429181b63e8bdb
2020-07-13 09:55:56 -07:00 · 2020-07-13 09:55:56 -07:00 · 3d778db0c4
commit 3d778db0c4
parent 0e65f0134d
3 changed files with 24 additions and 0 deletions
--- a/ironic/conf/deploy.py
+++ b/ironic/conf/deploy.py
@ -147,6 +147,17 @@ opts = [
                      'Test" and typical ramdisk start-up. This value should '
                      'not exceed the [api]ramdisk_heartbeat_timeout '
                      'setting.')),
+    cfg.BoolOpt('erase_skip_read_only',
+                default=False,
+                mutable=True,
+                help=_('If the ironic-python-agent should skip read-only '
+                       'devices when running the "erase_devices" clean step '
+                       'where block devices are zeroed out. This requires '
+                       'ironic-python-agent 6.0.0 or greater. By default '
+                       'a read-only device will cause non-metadata based '
+                       'cleaning operations to fail due to the possible '
+                       'operational security risk of data being retained '
+                       'between deployments of the bare metal node.')),
 ]


--- a/ironic/drivers/modules/deploy_utils.py
+++ b/ironic/drivers/modules/deploy_utils.py
@ -311,6 +311,7 @@ def agent_add_clean_params(task):
    secure_erase = CONF.deploy.enable_ata_secure_erase
    info['agent_enable_ata_secure_erase'] = secure_erase
    info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency
+    info['agent_erase_skip_read_only'] = CONF.deploy.erase_skip_read_only

    task.node.driver_internal_info = info
    task.node.save()
--- a/releasenotes/notes/ipa-erase_devices-skip-read-only-9f8cd9278c35a84e.yaml
+++ b/releasenotes/notes/ipa-erase_devices-skip-read-only-9f8cd9278c35a84e.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Adds the capability for an operator to set a configuration setting which
+    tells the ironic-python-agent it is okay to skip read-only block devices
+    when performing an ``erase_devices`` cleaning operation. This requires
+    ironic-python-agent version 6.0.0 or greater and can be set using the
+    ``[deploy]erase_skip_read_only`` configuration option.
+other:
+  - |
+    Starting in ironic-python-agent 6.0.0, metadata erasure of read-only
+    devices is skipped by default.