From 3d778db0c40ae7d93f0f82cbad8666077af39ee4 Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Mon, 13 Jul 2020 09:55:56 -0700 Subject: [PATCH] Add knob for read-only and "erase_devices" In https://review.opendev.org/#/c/704725 we merged a change to allow the agent to navigate read-only block devices. By default we always failed on the more secure "erase_devices" clean step as meta-data only erasure still leaves any sensitive information on the storage medium. That being said, it may be operationally okay for read-only devices to be ignored during the "erase_devices" clean step. Only the operator can make that call, and we should enable them to be able to assert that in the configuration to IPA. Change-Id: I475f0215eb0bd149c2d21e6962429181b63e8bdb --- ironic/conf/deploy.py | 11 +++++++++++ ironic/drivers/modules/deploy_utils.py | 1 + ...rase_devices-skip-read-only-9f8cd9278c35a84e.yaml | 12 ++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 releasenotes/notes/ipa-erase_devices-skip-read-only-9f8cd9278c35a84e.yaml diff --git a/ironic/conf/deploy.py b/ironic/conf/deploy.py index 8be4758b0a..cae1b123f8 100644 --- a/ironic/conf/deploy.py +++ b/ironic/conf/deploy.py @@ -147,6 +147,17 @@ opts = [ 'Test" and typical ramdisk start-up. This value should ' 'not exceed the [api]ramdisk_heartbeat_timeout ' 'setting.')), + cfg.BoolOpt('erase_skip_read_only', + default=False, + mutable=True, + help=_('If the ironic-python-agent should skip read-only ' + 'devices when running the "erase_devices" clean step ' + 'where block devices are zeroed out. This requires ' + 'ironic-python-agent 6.0.0 or greater. By default ' + 'a read-only device will cause non-metadata based ' + 'cleaning operations to fail due to the possible ' + 'operational security risk of data being retained ' + 'between deployments of the bare metal node.')), ] diff --git a/ironic/drivers/modules/deploy_utils.py b/ironic/drivers/modules/deploy_utils.py index 510c256346..b336f5ed5c 100644 --- a/ironic/drivers/modules/deploy_utils.py +++ b/ironic/drivers/modules/deploy_utils.py @@ -311,6 +311,7 @@ def agent_add_clean_params(task): secure_erase = CONF.deploy.enable_ata_secure_erase info['agent_enable_ata_secure_erase'] = secure_erase info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency + info['agent_erase_skip_read_only'] = CONF.deploy.erase_skip_read_only task.node.driver_internal_info = info task.node.save() diff --git a/releasenotes/notes/ipa-erase_devices-skip-read-only-9f8cd9278c35a84e.yaml b/releasenotes/notes/ipa-erase_devices-skip-read-only-9f8cd9278c35a84e.yaml new file mode 100644 index 0000000000..b530dd807d --- /dev/null +++ b/releasenotes/notes/ipa-erase_devices-skip-read-only-9f8cd9278c35a84e.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Adds the capability for an operator to set a configuration setting which + tells the ironic-python-agent it is okay to skip read-only block devices + when performing an ``erase_devices`` cleaning operation. This requires + ironic-python-agent version 6.0.0 or greater and can be set using the + ``[deploy]erase_skip_read_only`` configuration option. +other: + - | + Starting in ironic-python-agent 6.0.0, metadata erasure of read-only + devices is skipped by default.