Merge "Follow up Secure boot support for irmc-virtual-media driver"

This commit is contained in:
Zuul 2017-11-07 13:30:31 +00:00 committed by Gerrit Code Review
commit a3896fa8c4
3 changed files with 38 additions and 8 deletions
doc/source/admin/drivers
ironic/tests/unit/drivers/modules/irmc
releasenotes/notes

@ -146,8 +146,9 @@ Node configuration
irmc_username. irmc_username.
- ``properties/capabilities`` property to be ``boot_mode:uefi`` if - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
UEFI boot is required. UEFI boot is required.
- ``properties/capabilities`` property to be ``boot_mode:uefi,secure_boot:true`` if - ``properties/capabilities`` property to be ``secure_boot:true`` if
UEFI Secure Boot is required. UEFI Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
for more information.
* All of nodes are configured by setting the following configuration * All of nodes are configured by setting the following configuration
options in ``[irmc]`` section of ``/etc/ironic/ironic.conf``: options in ``[irmc]`` section of ``/etc/ironic/ironic.conf``:
@ -215,7 +216,8 @@ Node configuration
- ``properties/capabilities`` property to be ``boot_mode:uefi`` if - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
UEFI boot is required. UEFI boot is required.
- ``properties/capabilities`` property to be ``secure_boot:true`` if - ``properties/capabilities`` property to be ``secure_boot:true`` if
Secure Boot is required. Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
for more information.
- ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso
file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service
URL``. URL``.
@ -299,7 +301,8 @@ Node configuration
- ``properties/capabilities`` property to be ``boot_mode:uefi`` if - ``properties/capabilities`` property to be ``boot_mode:uefi`` if
UEFI boot is required. UEFI boot is required.
- ``properties/capabilities`` property to be ``secure_boot:true`` if - ``properties/capabilities`` property to be ``secure_boot:true`` if
Secure Boot is required. Secure Boot is required. Please refer to `UEFI Secure Boot Support`_
for more information.
- ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso - ``driver_info/irmc_deploy_iso`` property to be either ``deploy iso
file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service file name``, ``Glance UUID``, ``Glance URL`` or ``Image Service
URL``. URL``.
@ -352,6 +355,32 @@ Node configuration
Functionalities across drivers Functionalities across drivers
============================== ==============================
UEFI Secure Boot Support
^^^^^^^^^^^^^^^^^^^^^^^^
The hardware type ``irmc`` and iRMC classic drivers support secure boot deploy.
.. warning::
Secure boot feature is not supported with ``pxe`` boot interface.
The UEFI secure boot can be configured by adding ``secure_boot`` parameter,
which is a boolean value. Enabling the secure boot is different when
Bare Metal service is used with Compute service or without Compute service. The
following sections describes both methods:
* Enabling secure boot with Compute service:
To enable secure boot we need to set a capability on the bare metal node
and the bare metal flavor, for example::
openstack baremetal node set <node-uuid> --property capabilities='secure_boot:true'
openstack flavor set FLAVOR-NAME --property capabilities:secure_boot="true"
* Enabling secure boot without Compute service:
Since adding capabilities to the node's properties is only used by the nova
scheduler to perform more advanced scheduling of instances, we need
to enable secure boot without nova, for example::
openstack baremetal node set <node-uuid> --instance-info capabilities='{"secure_boot": "true"}'
.. _irmc_node_cleaning: .. _irmc_node_cleaning:
Node Cleaning Support Node Cleaning Support

@ -1157,7 +1157,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
autospec=True) autospec=True)
def test_clean_up_instance_with_secure_boot(self, mock_cleanup_vmedia_boot, def test_clean_up_instance_with_secure_boot(self, mock_cleanup_vmedia_boot,
mock_set_secure_boot_mode): mock_set_secure_boot_mode):
self.node.provision_state = states.CLEANING self.node.provision_state = states.DELETING
self.node.target_provision_state = states.AVAILABLE self.node.target_provision_state = states.AVAILABLE
self.node.instance_info = { self.node.instance_info = {
'capabilities': { 'capabilities': {
@ -1178,7 +1178,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
autospec=True) autospec=True)
def test_clean_up_instance_with_secure_boot_false( def test_clean_up_instance_with_secure_boot_false(
self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode): self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode):
self.node.provision_state = states.CLEANING self.node.provision_state = states.DELETING
self.node.target_provision_state = states.AVAILABLE self.node.target_provision_state = states.AVAILABLE
self.node.instance_info = { self.node.instance_info = {
'capabilities': { 'capabilities': {
@ -1198,7 +1198,7 @@ class IRMCVirtualMediaBootTestCase(db_base.DbTestCase):
autospec=True) autospec=True)
def test_clean_up_instance_without_secure_boot( def test_clean_up_instance_without_secure_boot(
self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode): self, mock_cleanup_vmedia_boot, mock_set_secure_boot_mode):
self.node.provision_state = states.CLEANING self.node.provision_state = states.DELETING
self.node.target_provision_state = states.AVAILABLE self.node.target_provision_state = states.AVAILABLE
self.node.save() self.node.save()
with task_manager.acquire(self.context, self.node.uuid, with task_manager.acquire(self.context, self.node.uuid,

@ -2,4 +2,5 @@
features: features:
- | - |
Adds support to provision an instance in secure boot mode for Adds support to provision an instance in secure boot mode for
``irmc-virtual-media`` boot interface. ``irmc-virtual-media`` boot interface. For details, see the `iRMC driver documentation
<https://docs.openstack.org/ironic/latest/admin/drivers/irmc.html#uefi-secure-boot-support>`_.