From e958b379c1008d53df0a453fe193affd6401918a Mon Sep 17 00:00:00 2001 From: cid Date: Fri, 7 Jun 2024 15:19:38 +0100 Subject: [PATCH] Link MACs with PXE config to pxe_enabled ports Currently, Ironic creates a pxe link file for every port, even when a port's pxe_enabled property is set to false, which means it can still boot from this port when it shouldn't. With this commit, unless explicitly configured otherwise, only pxe_enabled ports (pxe_enabled=True) will have the pxe link file. Closes-Bug: #1741422 Change-Id: I013861dd5b9a7525058606f8dc8b05502a28af1e --- ironic/common/pxe_utils.py | 2 + ironic/tests/unit/common/test_pxe_utils.py | 47 +++++++++++++++++++ ...ly-pxe-enabled-ports-d2ca5386bdd04bef.yaml | 6 +++ 3 files changed, 55 insertions(+) create mode 100644 releasenotes/notes/restrict-pxe-link-files-to-only-pxe-enabled-ports-d2ca5386bdd04bef.yaml diff --git a/ironic/common/pxe_utils.py b/ironic/common/pxe_utils.py index fc4fb97447..3f8eca953e 100644 --- a/ironic/common/pxe_utils.py +++ b/ironic/common/pxe_utils.py @@ -115,6 +115,8 @@ def _link_mac_pxe_configs(task, ipxe_enabled=False): pxe_config_file_path = get_pxe_config_file_path( task.node.uuid, ipxe_enabled=ipxe_enabled) for port in task.ports: + if not CONF.neutron.add_all_ports and not port.pxe_enabled: + continue client_id = port.extra.get('client-id') # Syslinux, ipxe, depending on settings. create_link(_get_pxe_mac_path(port.address, client_id=client_id, diff --git a/ironic/tests/unit/common/test_pxe_utils.py b/ironic/tests/unit/common/test_pxe_utils.py index ca19d621b6..27d08ecf55 100644 --- a/ironic/tests/unit/common/test_pxe_utils.py +++ b/ironic/tests/unit/common/test_pxe_utils.py @@ -517,6 +517,53 @@ class TestPXEUtils(db_base.DbTestCase): unlink_mock.assert_has_calls(unlink_calls) create_link_mock.assert_has_calls(create_link_calls) + @mock.patch('ironic.common.utils.create_link_without_raise', autospec=True) + def test_link_mac_pxe_configs_with_pxe_disabled(self, create_link_mock): + port_1 = object_utils.create_test_port( + self.context, node_id=self.node.id, pxe_enabled=True, + address='11:22:33:44:55:66', uuid=uuidutils.generate_uuid()) + port_2 = object_utils.create_test_port( + self.context, node_id=self.node.id, pxe_enabled=False, + address='11:22:33:44:55:67', uuid=uuidutils.generate_uuid()) + + with task_manager.acquire(self.context, self.node.uuid) as task: + task.ports = [port_1, port_2] + + # Test with add_all_ports set to False (default) + pxe_utils._link_mac_pxe_configs(task) + + # Verify that no links were created for pxe disabled ports + self.assertNotIn(mock.call( + u'../%s/config' % self.node.uuid, + '/tftpboot/pxelinux.cfg/01-11-22-33-44-55-67'), + create_link_mock.mock_calls) + self.assertNotIn(mock.call( + u'%s/config' % self.node.uuid, + '/tftpboot/grub.cfg-01-11-22-33-44-55-67'), + create_link_mock.mock_calls) + self.assertNotIn(mock.call( + u'%s/config' % self.node.uuid, + '/tftpboot/11:22:33:44:55:67.conf'), + create_link_mock.mock_calls) + + # Test with add_all_ports set to True + self.config(add_all_ports=True, group='neutron') + pxe_utils._link_mac_pxe_configs(task) + + # Verify that links were created for all ports + self.assertIn(mock.call( + u'../%s/config' % self.node.uuid, + '/tftpboot/pxelinux.cfg/01-11-22-33-44-55-67'), + create_link_mock.mock_calls) + self.assertIn(mock.call( + u'%s/config' % self.node.uuid, + '/tftpboot/grub.cfg-01-11-22-33-44-55-67'), + create_link_mock.mock_calls) + self.assertIn(mock.call( + u'%s/config' % self.node.uuid, + '/tftpboot/11:22:33:44:55:67.conf'), + create_link_mock.mock_calls) + @mock.patch('ironic.common.utils.create_link_without_raise', autospec=True) @mock.patch('ironic_lib.utils.unlink_without_raise', autospec=True) @mock.patch('ironic.common.dhcp_factory.DHCPFactory.provider', diff --git a/releasenotes/notes/restrict-pxe-link-files-to-only-pxe-enabled-ports-d2ca5386bdd04bef.yaml b/releasenotes/notes/restrict-pxe-link-files-to-only-pxe-enabled-ports-d2ca5386bdd04bef.yaml new file mode 100644 index 0000000000..1444c7cf84 --- /dev/null +++ b/releasenotes/notes/restrict-pxe-link-files-to-only-pxe-enabled-ports-d2ca5386bdd04bef.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + During node deployment, unless explicitly configured otherwise, + Ironic now only creates PXE link files for ports with pxe_enabled=True, + preventing unintended booting from disabled ports.