832 Commits

Author SHA1 Message Date
Julia Kreger
19bc67c196 ci: allow service role CI account usage to have elevated access
When I thought change I2b4bcc748b6e43e4215dc45137becce301349032
was going to fix everything, that was with the mental model that
it was going to be enabled by default. That didn't happen in
review as part of the service, but the reality is we still have
some adjacent CI jobs which need it to operate properly.

Given CI, it is just invoked when scope enforcement is enabled
for CI purposes

Change-Id: I60074504742d8b09017acbb42d2706215b0169af
2024-02-15 20:45:51 +00:00
Zuul
b256551b19 Merge "Disable legacy RBAC policy by default." 2024-01-23 21:58:26 +00:00
Zuul
cd17f5e61a Merge "Drop rootwrap support" 2024-01-23 20:14:36 +00:00
Julia Kreger
4359323558 Disable legacy RBAC policy by default.
Change the default RBAC policy in ironic such that the new RBAC
policy is enforced by default and the legacy policy is not usable
unless explicitly re-enabled.

Depends-On: https://review.opendev.org/c/openstack/metalsmith/+/905012
Change-Id: Id559f1d8b9a76c8a570b598585c2d58c56d08837
2024-01-22 11:10:53 -08:00
Takashi Kajinami
7032a0d9ac Stop using a specific mirror in infra
The host currently hard-coded is not functioning. This replaces
the hard-coded mirror by the local CI mirror detected. In case
mirror info is not available then upstream centos mirror is used.

Change-Id: I96a8cb45154c9dbb50efecc22d34c4ff75c6722a
2024-01-22 22:11:08 +09:00
Dmitry Tantsur
be09717be2
Drop rootwrap support
After removing the iSCSI deploy and changing ISO parsing code to use
a corresponding library, Ironic no longer executes any commands as root
and it should stay this way.

Change-Id: I47d2bab9b94345fbcf89a2a80028853050a041ea
2024-01-08 18:02:27 +01:00
Zuul
2403cd6041 Merge "CI: use Swift for configdrive when available" 2023-12-29 23:31:04 +00:00
Dmitry Tantsur
4cc167cc6e
Test redfish with reduced sushy-tools feature set
Two jobs are changed to test a reduced Redfish implementation:
one PXE job uses the minimum version (only boot/power management)
one vmedia job uses the reduced version (+ NICs, virtual media)

Change-Id: Ib3afdb26b9cd36c0e4f3d736b9c69a5bf508fc0e
2023-12-15 11:38:00 +01:00
Dmitry Tantsur
af8508f51d
CI: use Swift for configdrive when available
We have fixed the issue with TLS settings not being respected in
8a66978666

Change-Id: Ieb79432e897686e03e54d32ea390cca29b506569
2023-12-14 09:02:22 +01:00
Julia Kreger
ce300b3de1 CI: Remove deprecated devstack method
Removes get_uefi_ipxe_boot_file from the devstack plugin
as it is no longer used.

Change-Id: I5eed744a4746767b216399b132e98298471b4ab7
2023-11-16 15:16:49 -08:00
Zuul
5b1e347eb1 Merge "CI: Fix our internal MTU settings" 2023-10-18 06:43:05 +00:00
Zuul
b58f6d394e Merge "Enable OVN CI" 2023-10-10 16:01:15 +00:00
Julia Kreger
40e825ba93 CI: Fix our internal MTU settings
Long story short, we auto-clamp down everything to 1400 bytes
due to VXLAN tunneling for multinode testing. But there are other
reasons to clamp it smaller, and we will need to clamp that further
for multinode should we mix it with OVN.

Anyway, this should make things cleaner and we should rely upon the
gate calcualted MTU as a starting place, not the guess based upon
interface list. i.e. test VM could be wrong but gate could know better.

Change-Id: I385679fe30d1447f1ed94cdf5a419e6acefbc595
2023-10-09 13:13:29 +00:00
Zuul
92ec97ca1b Merge "Remove traces of Docker from devstack dependencies" 2023-10-06 22:15:08 +00:00
Steve Baker
9bd1e033fa grenade: convert neutron cli commands to openstack
Grenade is currently failing not finding the neutron command, we should
likely not be using it anyway since the deprecation message says it may
disappear after Z.

Change-Id: Ic24d59379bafcc5a630fe5c074fcc13303902965
2023-10-06 08:41:52 -07:00
Julia Kreger
3f77091c63 Enable OVN CI
Adds basic testing for PXE/iPXE boot secenarios where the OVN
DHCP service is used instead of dnsmasq.

Also adds a release note and documentation to cover the details
and caveats of using ovn as we have discovered through this process.

Change-Id: I28cd20a7f271220d8ca335895ca9e302452fd069
2023-10-03 14:24:34 +00:00
Harald Jensås
a8ede77e3e devstack - configurable ipv6 address mode
Add variable to define ipv6-address-mode and ipv6-ra-mode
in the devstack plugin.

Change-Id: I0a145bafc2ea37065b0e0fa7445837ded7bd8e46
2023-09-12 18:56:06 +00:00
Harald Jensås
aa2dad9f75
devstack - fix IPv6 ping
Remove the $ in the condition so that we don't attept to
execute the output from ping (i.e PING - unknown command)

Change-Id: Ic90f7c93d9a7b86fbf3f2cdef46bc1b2bbea489d
2023-08-30 12:45:44 +02:00
Zuul
b78f379997 Merge "Revert "Fix IRONIC_IMAGE_NAME=non-existent-image"" 2023-07-19 01:31:24 +00:00
Zuul
e2273d2b81 Merge "Disable spanning tree" 2023-07-12 19:55:24 +00:00
Julia Kreger
0a11855d3f CI: Use focal dnsmasq
Investigation of our standalone test job issues, where jobs would
fail, hosts not get DHCP updates, and ultimately IPXE would
fail prior to getting a valid or the expected response,
revealed the discovery that dnsmasq was crashing often when
the port updates were going through, ultimately preventing
the mutli-scenario test jobs from running as the standalone
jobs represent a number of different scenarios which are
executed across a pool of test machines.

In this case, the path forward appears to be to downgrade
dnsmasq to stablize our CI and allow us to otherwise upgrade.

This patch adds the focal updates as a package source,
and installs the dnsmasq package.

Related-Bug: #2026757
Change-Id: Iacfd1ab677c612525601afcaeee5e5b067206ff3
2023-07-10 12:57:16 -07:00
Julia Kreger
6d3c4ced5f Disable spanning tree
So, I've long wondered if we still have some spanning tree behavior
going on in CI. Turns out we might, but we just rely upon the defaults
which creates a variable.

Anyway, regardless, I found some details in the ovs-vsctl manual[0], and
well, lets set the options!

[0]: http://www.openvswitch.org/support/dist-docs/ovs-vsctl.8.html

Change-Id: I8f229fa6e738a69a668d4b891723431b2da362fa
2023-07-06 17:16:33 +00:00
Ghanshyam
d5931adedb Revert "Fix IRONIC_IMAGE_NAME=non-existent-image"
This reverts commit 2f8ee2cf40b594e3da10f883b453bd81bad6d0ab.

Reason for revert: Tempest removed the setting of DEFAULT_IMAGE_NAME to 'non-existent-image', that should fix the issue
- https://review.opendev.org/c/openstack/tempest/+/886796/2

Change-Id: I4767518b3306a8c4da08d1f0650d78ef8d78ca9c
2023-06-27 04:14:12 +00:00
Iury Gregory Melo Ferreira
2f8ee2cf40 Fix IRONIC_IMAGE_NAME=non-existent-image
Our jobs started failling after a possible change in tempest
that introduced "non-existent-image" [1]

[1] https://review.opendev.org/c/openstack/tempest/+/831018

Change-Id: Iff7943446741e499100561a79c9f4930beab3da2
2023-06-22 22:02:29 -03:00
Dmitry Tantsur
ad651b328e Remove traces of Docker from devstack dependencies
Change-Id: Ie26fb7c644c6feb547bcdc6d847838d2fed0d31f
2023-06-05 11:30:38 +02:00
Julia Kreger
d2039a29de Handle nova policy change
It appears nova's policies have changed, or to be more precise,
they have turned on new policy enforcement[0] and our plugin
was wrong.

+++ /opt/stack/ironic/devstack/lib/ironic:\n
ironic_configure_tempest:3205 :\n
oscwrap --os-cloud devstack-system-admin flavor show baremetal -f value -c id
ForbiddenException: 403: Client Error for url:
https://173.231.254.232/compute/v2.1/flavors/
e4312534-b349-4f70-9a1b-5806debff275/os-extra_specs,
Policy doesn't allow os_compute_api:os-flavor-extra-specs:index to be performed.

[0]: dfd7aeaf6c

Change-Id: I8070852fbe9346e346c50088537797f353753d02
2023-05-23 21:33:57 -07:00
Julia Kreger
fce8c3a651 CI: Change tinycore URL
We'v been able to observe one of the scenario test jobs failing
due to tinycorelinux being inaccessible. Possibly on an IPv6 only
test VM. Turns out tinycorelinux's main page is only accessible via
IPv4.

As such, I've changed the mirror to a mirror which is acessible via
IPv6 and which I've verified works for me.

Change-Id: I2b4ccd16189038ce2f054d7403775b012796aea3
2023-05-19 07:20:56 -07:00
Julia Kreger
9c0b4c90a1 Fix Cinder Integration fallout from CVE-2023-2088
In the recent change to cinder, to address CVE-2023-2088,
cinder changed the policy rules and behavior for unbinding,
or "detaching" a volume. This was because of a vulnerability
in compute nodes where a volume which was in use by a VM
could be detached outside of Nova, and nova wouldn't become
aware the volume was detached, and the volume could be accessible
to the next VM.

This vulnerability doesn't apply to bare metal operations as
volumes are attached to whole baremetal nodes with Ironic.

We now generate and use a service token when interacting with
Cinder which allows cinder to recognize "this request is
coming from a fellow OpenStack service", and by-pass
checking with Nova if the "instance" is managed by Nova,
or Not. This allows the volumes to be attached, and detached
as needed as part of the power operation flow and overall
set of lifecycle operations.

Related-Bug: 2004555
Closes-Bug: 2019892

Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
2023-05-18 07:43:31 -07:00
Zuul
1d0818cba2 Merge "Remove use of nomodeset by default" 2023-05-09 06:29:42 +00:00
Julia Kreger
7f281392c2 Change wholedisk image checksum to sha256
Change-Id: I0c90ac87ca88329e7fb315385345e8020a59fdd5
2023-05-02 13:03:13 -07:00
Julia Kreger
f2605e9281 Remove use of nomodeset by default
The troubleshooting kernel command line option nomodeset
unfortunately changes the way framebuffer interactions work
with graphics devices which in some cases can result in kernel
memory to be used for graphics updates. When this happens on
some specific hardware common in rack mount servers with baseboard
management controllers, this can cause the memory bus to become
locked for a brief time while the graphics update is occuring.

This locked memory bus means disk IO can become blocked,
and network cards can overflow their buffers resulting in
packet loss on top of the latency incurred by the graphics
update executing.

As such, we've removed the nomodeset option from default usage and
added a note describing its removal to the documentation along
with a release note.

Change-Id: I9084d88c3ec6f13bd64b8707892758fa87dd7f86
2023-04-26 07:34:29 -07:00
Riccardo Pittau
87a5f1add5 Bump cirros to version 0.6.1
Use latest cirros available

Change-Id: I916b96d1386d3b1f090df11a7a8d2ef70fe22559
2023-01-26 11:55:58 +01:00
Zuul
320b1f0ca7 Merge "Fix unbound variable in devstack plugin" 2023-01-07 16:30:49 +00:00
Zuul
c93641ff59 Merge "Use tinycore 13 for base ramdisk image" 2023-01-07 15:54:56 +00:00
Zuul
bed680951a Merge "Remove lib/neutron-legacy leftovers" 2023-01-05 12:25:48 +00:00
Zuul
7f6a737e98 Merge "Use centos grub artifacts with centos ramdisk for vmedia" 2023-01-04 20:31:36 +00:00
Julia Kreger
1d07be8237 Use centos grub artifacts with centos ramdisk for vmedia
It appears we are getting an opcode error when attempting to boot
Centos 9-stream utilizing the EFI artifacts from Ubuntu.

Technically this should work, however further aftifacts in the boot
chain may be signed with other key credentials that Ubuntu's
grub does not know about, because the chain of trust is
MSFT -> Vendor shim (slow change rate) -> Vendor GRUB -> Kernel

Where vendor differences should never work, is if Secure Boot
is enforcing.

Exception on launch:
 X64 Exception Type - 06(#UD - Invalid Opcode)  CPU Apic ID - 00000000 !!!!

A similar Debian bug is open for a very similar issue:

https://groups.google.com/g/linux.debian.bugs.dist/c/BOiLLeROrmo

However, no additional comments or information have been in follow
up to that reported issue. So in the mean time, we're going to try
and do what those smarter than I recommend, use the vendor's
binaries for their distribution.

There is one further, potentially far more depressing possibility,
that centos9's kernel doesn't support the type of hardware
we're getting. This is suggested by the precise opcode error, UD,
https://xem.github.io/minix86/manual/intel-x86-and-64-manual-vol3/o_fe12b1e2a880e0ce-212.html
But again, easiest possibility first.

Change-Id: Id9bd30bc3c2f1076555317e4a3f277725fa7c1f4
2023-01-03 17:05:04 -08:00
Riccardo Pittau
cab04afe6e Create IRONIC_VM_MACS_CSV_FILE if it does not exist
The IRONIC_VM_MACS_CSV_FILE is generated only if we execute the
ironic basic ops, so when IRONIC_BAREMETAL_BASIC_OPS is True.
In some jobs we set IRONIC_BAREMETAL_BASIC_OPS to False but we
still look for that file causing a "file not found" error which
does not trigger a trap until focal, but it does in jammy.
Let's create the file if it does not exist.

Change-Id: Ib938abe0723072419f336159cbffff33e46ea39b
2023-01-03 16:09:00 +01:00
Riccardo Pittau
7150478cd8 Fix unbound variable in devstack plugin
The RC_DIR does not existed (and it never existed, it was SRC_DIR)
Change that to TOP_DIR which is what we use commonly in other
sections.

Change-Id: I4a400fd434a20938cd38c0bb876da21fec7473a1
2023-01-02 10:10:50 +01:00
Riccardo Pittau
93158aadd0 Use tinycore 13 for base ramdisk image
We're builing tinyipa using tinycore 13.x since a while, we should use
the same version for the base ramdisk image.

Change-Id: I9d144f122c20f717ff946282ef7ffa16d82812f5
2023-01-02 09:44:26 +01:00
Sławek Kapłoński
facd1bca66 Remove lib/neutron-legacy leftovers
In [1] we finally got rid of the unfinished lib/neutron module and kept
only lib/neutron-legacy. It's renamed to lib/neutron now and it's the
only neutron related module in Devstack.
So this patch removes leftovers related to the old lib/neutron-legacy.

[1] https://review.opendev.org/c/openstack/devstack/+/865014

Change-Id: Id938deab7188743e754d028dee8e0b2591ab6f7b
2022-12-20 11:18:25 +01:00
Ghanshyam Mann
ceec890947 Use project scoped token for cinder, glance services
All services except Ironic (and keystone to support ironic
with system scope deployement), will not have system scope in
their API policy instead they are default to project scoped.

Change-Id: Id13a359086f9b24dbfcd2b565a42c50d0dab7736
2022-10-15 20:05:06 -05:00
Julia Kreger
9344eb22d1 Add upgrade check warning for allocations db
Adding an upgrade check to provide awareness to the state of
the database in regards if an unexpected engine is in use or
if the character set encoding is also not UTF8.

These will raise non-fatal warnings on the upgrade status
check.

Change-Id: Ide0eb4690a056be557e5ea7d5ba5f6be37b50d0a
Story: 2010384
2022-10-13 10:54:55 -07:00
Julia Kreger
d8fc96fd1f CI: Changes to support Anaconda CI jobs
Introduces additional job configuration to enable automated
integration testing via tempest of the anaconda deployment
interface.

Also, configures a private subnet with DNS, which is required
by anaconda executing, in order to facilitate processing of URLs.

Change-Id: I61b5205cf2c9f83dfcabf4314247c76fb6a56acd
2022-09-06 07:38:11 -07:00
Dmitry Tantsur
f0a1778766 Finally remove support for netboot and the boot_option capability
Instance network boot (not to be confused with ramdisk, iSCSI or
anaconda deploy methods) is insecure, underused and difficult to
maintain. This change removes a lot of related code from Ironic.

The so called "netboot fallback" is still supported for legacy boot when
boot device management is not available or is unreliable.

Change-Id: Ia8510e4acac6dec0a1e4f5cb0e07008548a00c52
2022-08-02 12:47:31 +02:00
Julia Kreger
f7471f07c3 CI: Only setup fake v6 interface if needed
In the case of CI test nodes natively supporting and using ipv6,
we don't need to actually setup a fake IPv6 network for ports
to bind to on the local system. So before doin gso, lets check
to see if we can ping the address first. If not, then set it up.

Change-Id: Ib68c706c1f9ef0ad0cf27e7a6acffd2c50ff37ea
2022-07-20 11:08:20 -07:00
Julia Kreger
8b99fcb0e4 CI: Default to TinyIPA when nested virt is not possible
Change-Id: I6bd52f61ff5e9f928b504b09a1ce6eb97cff57da
2022-06-23 14:24:41 -07:00
Julia Kreger
e0c758bb95 CI: Add iweb to the use tinyipa on list
Change-Id: Ib1d415928a6555298d42e8d525f04eb1028a4bb8
2022-06-23 14:13:58 -07:00
Zuul
1b6114934c Merge "Switch to q35 machine type for test nodes" 2022-06-22 14:22:17 +00:00
Steve Baker
832dc8bf94 Switch to q35 machine type for test nodes
q35 is recommended as emulating modern baremetal with better support
for UEFI in general, and Secure Boot in particular.

Old pc type usage is removed, like IDE controller, PS2 mouse, manual
PSI addresses.

Change-Id: Ic33e0f23c5c514a45541534ddd68329d7b4d0480
2022-05-31 04:37:28 +00:00