From b66471e39d13e9acac9ef6d3e8b965a06cc80d18 Mon Sep 17 00:00:00 2001 From: Jacob Anders Date: Fri, 22 Jan 2021 11:47:00 +1000 Subject: [PATCH] Add support for using NVMe specific cleaning This change adds support for utilising NVMe specific cleaning tools on supported devices. This will remove the neccessity of using shred to securely delete the contents of a NVMe drive and enable using nvme-cli tools instead, improving cleaning performance and reducing wear on the device. Story: 2008290 Task: 41168 Change-Id: I2f63db9b739e53699bd5f164b79640927bf757d7 --- ironic/conf/deploy.py | 20 +++++++++++++------ ironic/drivers/modules/deploy_utils.py | 9 +++++++++ .../unit/drivers/modules/test_deploy_utils.py | 5 ++++- ...ds-nvme-erase-switch-fa91e867e45ede3c.yaml | 14 +++++++++++++ 4 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/adds-nvme-erase-switch-fa91e867e45ede3c.yaml diff --git a/ironic/conf/deploy.py b/ironic/conf/deploy.py index cae1b123f8..adc6f52a7f 100644 --- a/ironic/conf/deploy.py +++ b/ironic/conf/deploy.py @@ -32,6 +32,14 @@ opts = [ mutable=True, help=_('Whether to support the use of ATA Secure Erase ' 'during the cleaning process. Defaults to True.')), + cfg.BoolOpt('enable_nvme_secure_erase', + default=True, + mutable=True, + help=_('Whether to support the use of NVMe Secure Erase ' + 'during the cleaning process. Currently nvme-cli ' + 'format command is supported with user-data and ' + 'crypto modes, depending on device capabilities.' + 'Defaults to True.')), cfg.IntOpt('erase_devices_priority', mutable=True, help=_('Priority to run in-band erase devices via the Ironic ' @@ -66,12 +74,12 @@ opts = [ cfg.BoolOpt('continue_if_disk_secure_erase_fails', default=False, mutable=True, - help=_('Defines what to do if an ATA secure erase operation ' - 'fails during cleaning in the Ironic Python Agent. ' - 'If False, the cleaning operation will fail and the ' - 'node will be put in ``clean failed`` state. ' - 'If True, shred will be invoked and cleaning will ' - 'continue.')), + help=_('Defines what to do if a secure erase operation ' + '(NVMe or ATA) fails during cleaning in the Ironic ' + 'Python Agent. If False, the cleaning operation will ' + 'fail and the node will be put in ``clean failed`` ' + 'state. If True, shred will be invoked and cleaning ' + 'will continue.')), cfg.IntOpt('disk_erasure_concurrency', default=1, min=1, diff --git a/ironic/drivers/modules/deploy_utils.py b/ironic/drivers/modules/deploy_utils.py index 3c5465e3ee..bc9a7114ea 100644 --- a/ironic/drivers/modules/deploy_utils.py +++ b/ironic/drivers/modules/deploy_utils.py @@ -308,7 +308,16 @@ def agent_add_clean_params(task): zeroize = CONF.deploy.shred_final_overwrite_with_zeros info['agent_erase_devices_zeroize'] = zeroize erase_fallback = CONF.deploy.continue_if_disk_secure_erase_fails + info['agent_continue_if_secure_erase_failed'] = erase_fallback + # NOTE(janders) ``agent_continue_if_ata_erase_failed`` is deprecated and + # will be removed in the "Y" cycle. The replacement option + # ``agent_continue_if_secure_erase_failed`` is used to control shred + # fallback for both ATA Secure Erase and NVMe Secure Erase. + # The ``agent_continue_if_ata_erase_failed`` line can + # be deleted along with this comment when support for it is fully removed. info['agent_continue_if_ata_erase_failed'] = erase_fallback + nvme_secure_erase = CONF.deploy.enable_nvme_secure_erase + info['agent_enable_nvme_secure_erase'] = nvme_secure_erase secure_erase = CONF.deploy.enable_ata_secure_erase info['agent_enable_ata_secure_erase'] = secure_erase info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency diff --git a/ironic/tests/unit/drivers/modules/test_deploy_utils.py b/ironic/tests/unit/drivers/modules/test_deploy_utils.py index 41cb502ee9..aeeaf6ba3f 100644 --- a/ironic/tests/unit/drivers/modules/test_deploy_utils.py +++ b/ironic/tests/unit/drivers/modules/test_deploy_utils.py @@ -1147,6 +1147,7 @@ class AgentMethodsTestCase(db_base.DbTestCase): 'deploy') cfg.CONF.set_override('enable_ata_secure_erase', False, 'deploy') cfg.CONF.set_override('disk_erasure_concurrency', 8, 'deploy') + cfg.CONF.set_override('enable_nvme_secure_erase', False, 'deploy') with task_manager.acquire( self.context, self.node.uuid, shared=False) as task: utils.agent_add_clean_params(task) @@ -1155,11 +1156,13 @@ class AgentMethodsTestCase(db_base.DbTestCase): self.assertIs(False, task.node.driver_internal_info[ 'agent_erase_devices_zeroize']) self.assertIs(True, task.node.driver_internal_info[ - 'agent_continue_if_ata_erase_failed']) + 'agent_continue_if_secure_erase_failed']) self.assertIs(False, task.node.driver_internal_info[ 'agent_enable_ata_secure_erase']) self.assertEqual(8, task.node.driver_internal_info[ 'disk_erasure_concurrency']) + self.assertIs(False, task.node.driver_internal_info[ + 'agent_enable_nvme_secure_erase']) @mock.patch('ironic.conductor.utils.is_fast_track', autospec=True) @mock.patch.object(pxe.PXEBoot, 'prepare_ramdisk', autospec=True) diff --git a/releasenotes/notes/adds-nvme-erase-switch-fa91e867e45ede3c.yaml b/releasenotes/notes/adds-nvme-erase-switch-fa91e867e45ede3c.yaml new file mode 100644 index 0000000000..333756a740 --- /dev/null +++ b/releasenotes/notes/adds-nvme-erase-switch-fa91e867e45ede3c.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Adds the ``[deploy]enable_nvme_secure_erase`` option which allows the + operator to enable NVMe format option for all nodes being managed by + the conductor. +deprecations: + - | + Deprecates ATA specific ``agent_continue_if_ata_erase_failed`` agent's + option which is replaced with ``agent_continue_if_secure_erase_failed``. + The new option supports both ATA and NVMe secure erase. In order to ensure + a smooth migration to the new configuration option, the operators need to + upgrade Ironic Python Agent image to Wallaby release prior to upgrading + Ironic Conductor to Xena.