1813 Commits

Author SHA1 Message Date
Zuul
71ebba5cf3 Merge "Add some tuning documentation" 2021-02-15 15:41:20 +00:00
Zuul
a2cc1baa86 Merge "Address some rbac review feedback in merged patches" 2021-02-15 07:03:59 +00:00
Julia Kreger
bb30f9945c Add some tuning documentation
Change-Id: I56e3c45bf7ae89b3f96ee826565bf153908d1bf7
2021-02-13 14:28:07 +00:00
Zuul
4b6a18f24c Merge "Trivial: update version for deploy steps" 2021-02-12 18:12:30 +00:00
Zuul
52ff615c98 Merge "Guard conductor from consuming all of the ram" 2021-02-12 18:11:57 +00:00
Dmitry Tantsur
7eadc52403 Trivial: update version for deploy steps
Change-Id: I4aac0a9f2e9bd1ae40f41722ab75e92f2a09cfef
2021-02-12 17:04:06 +01:00
Zuul
766d8f11b4 Merge "Add 'deploy steps' parameter for provisioning API" 2021-02-12 16:01:33 +00:00
Julia Kreger
e3ccb9ec22 Address some rbac review feedback in merged patches
Some of the early test changes for the RBAC work have merged
which is awesome, but a couple minor follow-up items should be
addressed. They are so minor it doesn't really make sense to merge
in with one of the patches in the chain.

Change-Id: I85de4d953237f240c3c220f6a57169c633fb295f
2021-02-12 06:56:31 -08:00
Steve Baker
606549c1c9 Populate existing policy tests
Testing every combination of role, endpoint and policy rule would
result in a huge test count, so to make testing the existing policy
rules complete and practical, the following guidelines are suggested:

- Only the default policy is tested, so inactive rules such as
  is_node_owner, is_node_lessee are ignored.
- Each rule is tested completely on one endpoint which uses it.
- A rule (such as baremetal:node:list) which inherits a parent rule
  (baremetal:node:get) is considered covered by the parent test.
- All endpoints need at least one test, but other endpoints which share
  a fully tested rule only need one denied test which shows that they
  are covered by some policy.

Also adds the initial pass of contributor documentation on how the
rbac testing works to try and express the mechanics and what to
expect to aid in reviewing/updating/editing the rules.

Co-Authored-By: Julia Kreger <juliaashleykreger@gmail.com>
Change-Id: I1cd88210e40e42f86464e6a817354620f5ab1d9c
2021-02-11 10:34:52 -08:00
Zuul
4e5c034187 Merge "Make boot_mode more consistent with other capabilities" 2021-02-11 14:24:31 +00:00
Dmitry Tantsur
cf22604c58 Prevent redfish-virtual-media from being used with Dell nodes
Indicate that idrac-redfish-virtual-media must be used instead,
otherwise a confusing failure will happen.

Change-Id: I3b6ced6dcf03580903f5ea7237fc057f372999f9
2021-02-05 12:09:00 +01:00
Aija Jauntēva
3138acc836 Add 'deploy steps' parameter for provisioning API
Story: 2008043
Task: 40705
Change-Id: I3dc2d42b3edd2a9530595e752895e9d113f76ea8
2021-02-03 11:47:53 -05:00
Zuul
f4197a12ef Merge "Redfish secure boot management" 2021-02-03 14:43:06 +00:00
Dmitry Tantsur
ccc6c551c3 Make boot_mode more consistent with other capabilities
All capabilities, except for boot_mode, are read from instance_info.
This change makes instance_info.capabilities[boot_mode] work as well
and deprecates instance_info.deploy_boot_mode.

Note that the special handling of properties.capabilities[boot_mode]
is kept in this patch.

Change-Id: Ic2e7fd4c71b7a7bc2950d17f7e1bbdad73bbb8a7
2021-02-02 12:06:17 +01:00
Dmitry Tantsur
a5f7d75ba2 Apply force_persistent_boot_device to all boot interfaces
For some (likely historical) reasons we only use it for PXE and iPXE,
but the same logic applies to any boot interface (since it depends
on how the management interface and the BMC work, not on the boot
method). This change moves its handling to conductor utils.

Change-Id: I948beb4053034d3c1b4c5b7c64100e41f6022739
2021-02-01 13:37:20 +01:00
Julia Kreger
d9913370de Guard conductor from consuming all of the ram
One of the biggest frustrations larger operators have is when they
trigger a massive number of concurrent deployments. As one would
expect, the memory utilization of the conductor goes up. Except,
even with the default number of worker threads, if we're requested
to convert 80 images at the same time, or to perform the write-out
to the remote node at the same time, we will consume a large amount
of system RAM. Or more specifically, qemu-img will consume a large
amount of memory.

If the amount of memory goes too low, the system can trigger
OOMKiller which will slay processes using ram. Ideally, we do not
want this to happen to our conductor process, much less the work
that is being performed, so we need to add some guard rails to help
keep us from entering into situations where we may compromise the
conductor by taking on too much work.

Adds a guard in the conductor to prevent multiple parallel
deployment operations from running the conductor out of memory.

With the defaults, the conductor will attempt to throttle back
automatically and hold worker threads which will slow down the
amount of work also proceeding through the conductor, as we are
in a memory condition where we should be careful about the work.

The defaults allow this to occur for a total of 15 seconds between
re-check of available RAM, for a total number of six retries.
The minimum default is 1024 (MB), as this is the amount of memory
qemu-img allocates when trying to write images. This quite literally
means no additional qemu-img process can spawn until the default
memory situation has resolved itself.

Change-Id: I69db0169c564c5b22abd0cb1b890f409c13b0ac2
2021-01-29 14:33:57 -08:00
Zuul
fd34d3c437 Merge "Add centralized secure boot documentation" 2021-01-27 13:36:39 +00:00
Dmitry Tantsur
4c4c7a869a Add a few words about UEFI user images
Change-Id: I37a686e6f48a422d38ac5921a188d894519b7530
2021-01-26 21:22:56 +01:00
Dmitry Tantsur
33d51f221f Redfish secure boot management
Story: #2008270
Task: #41137
Change-Id: Ied53f8dc5b93522ac9ffc25ec93ad2347a7d1c7c
2021-01-26 17:15:46 +01:00
Dmitry Tantsur
04400eea47 Add centralized secure boot documentation
Move the bits from iLO and iRMC, clean them up a bit.

Change-Id: I5b6da854ae0214141ae25a17b8ea3c7874636372
2021-01-26 17:00:50 +01:00
Dmitry Tantsur
bb318008b9 redfish-virtual-media: allow a link to raw configdrive image
For historical reasons we always base64+gzip configdrives, even
when accessing them via a URL. This change allows binary images
to work for the redfish-virtual-media case.

Change-Id: If19144de800b67275e3f8fb297f0a5c4a54b2981
2021-01-22 16:26:44 +01:00
Zuul
5640860c81 Merge "Follow-up for ramdisk deploy configdrive support" 2021-01-21 14:06:14 +00:00
Aija Jauntēva
b0df0960e2 Update iDRAC doc with missing interfaces
Change-Id: I691b76879ba00fb5535d7016c9d6fb53e9dde462
2021-01-20 09:25:19 -05:00
Zuul
67c90e7e4f Merge "Policy json to yaml migration" 2021-01-19 02:11:28 +00:00
Zuul
07bdccea58 Merge "Do not enter maintenance if cleaning fails before running the 1st step" 2021-01-12 07:10:42 +00:00
Dmitry Tantsur
fe380bbbab Follow-up for ramdisk deploy configdrive support
1) Do not issue a warning if the boot interface supports configdrive
2) Implement missing support for Swift URLs in configdrives

Change-Id: I4b06478a14ab514d785f8e3972e5afbd79f8d3b5
2021-01-11 20:02:27 +01:00
Zuul
6af2e2d9d1 Merge "Support configdrive when doing ramdisk deploy with redfish-virtual-media" 2021-01-11 17:28:39 +00:00
Zuul
1c7b5f8259 Merge "docs: Add information on post-branch release tasks for bifrost" 2021-01-08 15:25:17 +00:00
Dmitry Tantsur
ad696c9bac Do not enter maintenance if cleaning fails before running the 1st step
We use maintenance mode to signal that hardware needs additional
intervention, because of potential damage or stuck long-running
processes. This is not the case for PXE booting or invalid requested
manual clean steps, so don't set maintenance if no clean step is
running when the failure occurs.

Change-Id: I8a7ce072359660fc6640e5f20ec2d3c452033557
2021-01-08 14:57:07 +01:00
Zuul
d5f184ea16 Merge "Document using ramdisks with the ramdisk deploy interface" 2021-01-05 18:31:38 +00:00
Julia Kreger
2404d486ac Policy json to yaml migration
Adds the status upgrade check for the JSON to YAML migration
effort and updates the documentation where it seems appropriate
to move from "policy.json" to "policy.yaml"

Mostly shamelessly copied from https://review.opendev.org/#/c/748059/
however is in-line with ironic's configuration and patching methods.

Related Blueprint: policy-json-to-yaml

Change-Id: I1d5b3892451579ebfd4d75a0f7185e0ef3c984c8
2021-01-04 13:40:54 -08:00
Julia Kreger
1e96ecbdbc Add troubleshooting on changing ironic.conf default interfaces
Change-Id: If836d064ed7e8f6eaefbc0cfab8c404d2c3174fb
2021-01-04 09:40:41 -08:00
Zuul
fcf029a0ad Merge "Modify port group document for ironic" 2021-01-04 09:51:49 +00:00
Zuul
0112b33291 Merge "Mark the iSCSI deploy as deprecated in the docs" 2021-01-01 17:51:12 +00:00
Zuul
3864483a76 Merge "update python packages to python3 in quickstart.rst" 2021-01-01 04:08:24 +00:00
huth
182a6fcff5 Modify port group document for ironic
Add a simple sample about configuring bonding via configdrive,
and it can make user to use port group more easily.

Story: 2008474
Task: 41514

Signed-off-by: huth <428437106@qq.com>
Change-Id: Ic425ecb35bfa173adf72b0ee104d28c6b79cb4b1
2020-12-31 10:34:26 +08:00
Dmitry Tantsur
382a43627e Mark the iSCSI deploy as deprecated in the docs
Also move it to the bottom of the user guide and fix some ancient
bits (more fixing required).

Change-Id: I118d3385110c85cb6e5f1beacb7c5d1887bda616
2020-12-29 17:34:35 +01:00
likui
d99a52f2cf update python packages to python3 in quickstart.rst
since 'train' cycle, we should test python3 by default.

Change-Id: Iadba4098e7ff5b9456fd0224353e55aad73a2b5b
2020-12-27 16:19:03 +08:00
Dmitry Tantsur
06a1d38fc1 Support configdrive when doing ramdisk deploy with redfish-virtual-media
When using Redfish virtual media, it's possible to connect a configdrive
via a free USB slot when the ramdisk deploy is used.

Using Swift as configdrive storage is not supported in this case yet.

Story: #2008380
Task: #41302
Change-Id: Ib847dbfe96072cfe4137388ba88ef133bd7ab186
2020-12-23 18:30:07 +01:00
Zuul
21db60c8f7 Merge "Document that DHCP-less deploy does work with debian-minimal" 2020-12-18 17:12:08 +00:00
Zuul
b52fcfaca0 Merge "Update outdated descripton for default_boot_option" 2020-12-17 15:44:31 +00:00
ericxiett
4cb406b8f7 Update outdated descripton for default_boot_option
The default value of `default_boot_option` has already been
'local', so update the note.

Change-Id: Ia846fa82121cda942697a240eec5bbd7bd93e68e
2020-12-17 01:57:55 +00:00
Dmitry Tantsur
3b15d543f1 Document that DHCP-less deploy does work with debian-minimal
Change-Id: I9ec4f9ceac0c5517ce59c6db3681ef9dc643ec14
2020-12-16 19:42:58 +01:00
Dmitry Tantsur
20f25068c6 Document using ramdisks with the ramdisk deploy interface
Change-Id: Ibc28cbfaa9331343c1f91f0e6b32aafda3e5718c
Depends-On: https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/767376
2020-12-16 19:12:29 +01:00
Zuul
4896f58a2d Merge "Fix release guide and include intermediate branches" 2020-12-15 17:09:52 +00:00
Dmitry Tantsur
a599f898dc Document the current status of the DHCP-less deploy
I could not make the ramdisk side work on a variety of distributions,
the same problem has been confirmed by another contributor. Until we
get a working procedure for building a ramdisk, add an ugly warning
to the documentation.

Change-Id: I12100539b9987fcb47ba81c75ec96ed501d50c82
2020-12-15 14:48:04 +01:00
Dmitry Tantsur
255fac17a0 Rewrite DHCP-less documentation
The current documentation is basically unreadable and contains a few
factual errors. Rewrite it for simplicity and move to a separate file
since at least 2 hardware types claim its support.

The patch does not concern the current status of the feature, an
easily revertable follow-up will be posted for that.

Change-Id: I3404378333316b0736ce07610a1dbbd7847bac00
2020-12-15 14:45:46 +01:00
Riccardo Pittau
4e9c6184c4 Fix release guide and include intermediate branches
Fix the command to submit new releases and adds command reference
for the intermediate bugfix branches.

Change-Id: I79a039a6effcf8bd13e5c3ab5a231d5b515c8297
2020-12-15 10:37:06 +01:00
Zuul
2d70e6e26e Merge "IPMI: Handle vendor set boot device differences" 2020-12-14 21:03:02 +00:00
Julia Kreger
a7ac9ce8cd IPMI: Handle vendor set boot device differences
Supermicro machines, when in UEFI mode, have a different
device number, in binary, to represent the hard disk from
other vendors such as Fujitsu which actually has somewhat
similar code in their driver.

This means we need to be somewhat cognizent of the vendor of
the BMC and possibly update the device mapping based upon that
vendor.

This may ultimately fix a number of IPMI related problems, because
there is a reliance upon the text output of ipmitool, which only
reads the bytes retured by the BMC, which may not be reality after
the next reset, espescialy if ipmitool doesn't know of the UEFI
operating difference.

Change-Id: Ie19db9e0cf1eafdfc9bb46248f4d457337821f94
Story: 2008241
Task: 41085
2020-12-14 12:00:38 +00:00