Add knob for read-only and "erase_devices"

In https://review.opendev.org/#/c/704725 we merged a change to
allow the agent to navigate read-only block devices. By default
we always failed on the more secure "erase_devices" clean step as
meta-data only erasure still leaves any sensitive information on
the storage medium.

That being said, it may be operationally okay for read-only devices
to be ignored during the "erase_devices" clean step. Only the
operator can make that call, and we should enable them to be able
to assert that in the configuration to IPA.

Change-Id: I475f0215eb0bd149c2d21e6962429181b63e8bdb
This commit is contained in:
Julia Kreger 2020-07-13 09:55:56 -07:00
parent 0e65f0134d
commit 3d778db0c4
3 changed files with 24 additions and 0 deletions

View File

@ -147,6 +147,17 @@ opts = [
'Test" and typical ramdisk start-up. This value should ' 'Test" and typical ramdisk start-up. This value should '
'not exceed the [api]ramdisk_heartbeat_timeout ' 'not exceed the [api]ramdisk_heartbeat_timeout '
'setting.')), 'setting.')),
cfg.BoolOpt('erase_skip_read_only',
default=False,
mutable=True,
help=_('If the ironic-python-agent should skip read-only '
'devices when running the "erase_devices" clean step '
'where block devices are zeroed out. This requires '
'ironic-python-agent 6.0.0 or greater. By default '
'a read-only device will cause non-metadata based '
'cleaning operations to fail due to the possible '
'operational security risk of data being retained '
'between deployments of the bare metal node.')),
] ]

View File

@ -311,6 +311,7 @@ def agent_add_clean_params(task):
secure_erase = CONF.deploy.enable_ata_secure_erase secure_erase = CONF.deploy.enable_ata_secure_erase
info['agent_enable_ata_secure_erase'] = secure_erase info['agent_enable_ata_secure_erase'] = secure_erase
info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency
info['agent_erase_skip_read_only'] = CONF.deploy.erase_skip_read_only
task.node.driver_internal_info = info task.node.driver_internal_info = info
task.node.save() task.node.save()

View File

@ -0,0 +1,12 @@
---
features:
- |
Adds the capability for an operator to set a configuration setting which
tells the ironic-python-agent it is okay to skip read-only block devices
when performing an ``erase_devices`` cleaning operation. This requires
ironic-python-agent version 6.0.0 or greater and can be set using the
``[deploy]erase_skip_read_only`` configuration option.
other:
- |
Starting in ironic-python-agent 6.0.0, metadata erasure of read-only
devices is skipped by default.