Added some documentaition that details how to change the ironic localdev microversion for testing purposes.
Rendered View: https://files.mcaq.me/944ch.png
Change-Id: I1e21a12ad1413046a41f856ddf229e399f82523a
grenade by default enable GLOBAL_VENV which means it
install and run everything from virtual env
- https://review.opendev.org/c/openstack/grenade/+/930507
We faced the error in ironic grenade scripts in virtual env
so GLOBAL_VENV was disabled explicitly. This fixing the scripts
and enable GLOBAL_VENV in ironic jobs also.
Change-Id: I48ee1dd4adc2e5bcc18c5f116d979e7524248495
No jobs are setting this, nor have any set it in some time. Remove it.
Change-Id: I38a092de125e382607d89d8e5a3b85db809a6d61
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Nothing is setting this anymore, making this a layer of indirection
we do not need. Remove it.
Change-Id: Iba3674536ee98ba4d2d0cb5ffb0ec52e5286b7e7
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Centos Stream and ultimately RHEL have switched to asynchronous
device initialization, which impacts root device hints and their
usability on those systems, in large part because context which
people have traditionally had, no longer holds true on those newer
kernels.
This doc update attempts to provide the needful context to guide
operators to the best possible outcome given the distribution changes.
Change-Id: I541086cfe235b10f1f1dba95fad95022a22f9ce7
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_source
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4f4363ee49f77e688701995323a
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
When we were fixing the qemu-img related CVE, in our rush we didn't
realize that the logic for storage sizing, which only falls back to
actual size didn't match the prior interface exactly. Instead of
disk_size, we have actual_size on the format inspector.
This was not discovered because all of the code handling that side
of the unit tests were mocked.
Anyhow, easy fix.
Closes-Bug: 2083520
Change-Id: Ic4390d578f564f245d7fb4013f2ba5531aee9ea9
Add a CI job to leverage a 4k logical block disk image which is
deployed to the remote system to ensure the build pipeline and
code to naviate 4k disk images is in working order.
Change-Id: If7aee654f9282b33ea489558f45f45cfed86e9d1
Checks are added to three places:
1) Power state change API
2) Power sync loop in the conductor
3) The common node_power_action call
Partial-Bug: #2077432
Change-Id: Ifcc539b32022870bf8e96aa17fdeb2d111d2a393
According to the driver-requirements.txt, nironic requires pysnmp >= 5
now, so this logic is just useless.
Change-Id: Iea843689ebf04fa0539c0ff2c783c18131646dff
Recently we became aware that some operators might need a larger
block size, but our CI testing doesn't represent any ability to
assert a different block size.
We can now assert a block size override in the scripting which
allows us to create a CI job.
Change-Id: I8470fb5b2827226dc155938a94c3a2cbe98912b5
This patch adds some initial documentation
for the update step available via
the redfish firmware interface.
Change-Id: I4a70e2e78d725fd96a2ddd116c6d6e0d9c3b9639
Both the driver and the conductor code try to transition the node to
INSPECTFAIL, with the 2nd attempt failing. Rework the driver code to
only do implementation-specific clean-up. Also safeguard the conductor
code against this case.
Change-Id: Ie1c64b4807ecf29fa0da54501798d363675977c8
Its existence is probably a legacy of the iSCSI deploy times. Currently,
we have 4 different base classes/mixins in agent_base, which is
confusing even for a long-term contributor like me. AgentDeployMixin is
only used in CustomAgentDeploy, so it makes sense to get rid of it to
simplify the code navigation.
All deploy steps are moved to CustomAgentDeploy. Two two helper methods,
prepare_instance_to_boot and configure_local_boot are only used in
AgentDeploy, so moving them there.
Change-Id: Ib670571eb511d2f2e724ecfab1d2abb1ab471346