Merge "Follow up Secure boot support for irmc-virtual-media driver"

2017-11-07 13:30:31 +00:00 · 2017-11-07 13:30:31 +00:00 · a3896fa8c4
commit a3896fa8c4
parent c6e97cb3ac 4b8b48fe65
3 changed files with 38 additions and 8 deletions
--- a/doc/source/admin/drivers/irmc.rst
+++ b/doc/source/admin/drivers/irmc.rst
@ -146,8 +146,9 @@ Node configuration
    irmc_username.
  - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
    UEFI boot is required.
-  - ``properties/capabilities`` property to be ``boot_mode:uefi,secure_boot:true`` if
-    UEFI Secure Boot is required.
+  - ``properties/capabilities`` property to be ``secure_boot:true`` if
+    UEFI Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
+    for more information.

 * All of nodes are configured by setting the following configuration
  options in ``[irmc]`` section of ``/etc/ironic/ironic.conf``:
@ -215,7 +216,8 @@ Node configuration
  - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
    UEFI boot is required.
  - ``properties/capabilities`` property to be ``secure_boot:true`` if
-    Secure Boot is required.
+    Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
+    for more information.
  - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso
    file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service
    URL``.
@ -299,7 +301,8 @@ Node configuration
  - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
    UEFI boot is required.
  - ``properties/capabilities`` property to be ``secure_boot:true`` if
-    Secure Boot is required.
+    Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
+    for more information.
  - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso
    file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service
    URL``.
@ -352,6 +355,32 @@ Node configuration
 Functionalities across drivers
 ==============================

+UEFI Secure Boot Support
+^^^^^^^^^^^^^^^^^^^^^^^^
+The hardware type ``irmc`` and iRMC classic drivers support secure boot deploy.
+
+.. warning::
+     Secure boot feature is not supported with ``pxe`` boot interface.
+
+The UEFI secure boot can be configured by adding ``secure_boot`` parameter,
+which is a boolean value. Enabling the secure boot is different when
+Bare Metal service is used with Compute service or without Compute service. The
+following sections describes both methods:
+
+* Enabling secure boot with Compute service:
+  To enable secure boot we need to set a capability on the bare metal node
+  and the bare metal flavor, for example::
+
+    openstack baremetal node set <node-uuid> --property capabilities='secure_boot:true'
+    openstack flavor set FLAVOR-NAME --property capabilities:secure_boot="true"
+
+* Enabling secure boot without Compute service:
+  Since adding capabilities to the node's properties is only used by the nova
+  scheduler to perform more advanced scheduling of instances, we need
+  to enable secure boot without nova, for example::
+
+    openstack baremetal node set <node-uuid> --instance-info capabilities='{"secure_boot": "true"}'
+
 .. _irmc_node_cleaning:

 Node Cleaning Support
--- a/ironic/tests/unit/drivers/modules/irmc/test_boot.py
+++ b/ironic/tests/unit/drivers/modules/irmc/test_boot.py
@ -1157,7 +1157,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
                       autospec=True)
    def test_clean_up_instance_with_secure_boot(self, mock_cleanup_vmedia_boot,
                                                mock_set_secure_boot_mode):
-        self.node.provision_state = states.CLEANING
+        self.node.provision_state = states.DELETING
        self.node.target_provision_state = states.AVAILABLE
        self.node.instance_info = {
            'capabilities': {
@ -1178,7 +1178,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
                       autospec=True)
    def test_clean_up_instance_with_secure_boot_false(
            self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode):
-        self.node.provision_state = states.CLEANING
+        self.node.provision_state = states.DELETING
        self.node.target_provision_state = states.AVAILABLE
        self.node.instance_info = {
            'capabilities': {
@ -1198,7 +1198,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
                       autospec=True)
    def test_clean_up_instance_without_secure_boot(
            self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode):
-        self.node.provision_state = states.CLEANING
+        self.node.provision_state = states.DELETING
        self.node.target_provision_state = states.AVAILABLE
        self.node.save()
        with task_manager.acquire(self.context, self.node.uuid,
--- a/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml
+++ b/releasenotes/notes/add-secure-boot-suport-irmc-9509f3735df2aa5d.yaml
@ -2,4 +2,5 @@
 features:
  - |
    Adds support to provision an instance in secure boot mode for
-    ``irmc-virtual-media`` boot interface.
+    ``irmc-virtual-media`` boot interface. For details, see the `iRMC driver documentation
+    <https://docs.openstack.org/ironic/latest/admin/drivers/irmc.html#uefi-secure-boot-support>`_.