For now we have to carry both in both trees, and they have gone out
of sync. This changes updates the copy here with two new commands.
Change-Id: Ife131cf825518012a3b04d2c7d713beeb4f8f770
This patch is changing the default bootloader for PXE + UEFI to Grub2.
Prior to this patch Elilo was the default but, Elilo is no longer
maintained with the last release dating 2014.
Ironic should have sane defaults therefore we should not rely on an
unmaintained project.
Change-Id: Ib34fcbd37e4698bf272582c96b1540b511b5a892
when iPXE is enabled, it is possible for the bootloader to download
the deploy kernel and ramdisk directly from Swift TempURL instead of
downloading them to conductor and serving from local HTTP server.
This patch adds the required logic and a new config option
`ipxe_use_swift` (default False), setting which to True enables
using Swift TempURLs for deploy ramdisk and kernel.
Note that local caching and serving for kernel and ramdisk of user image
is still performed for partition images that require non-local boot,
as moving those to use TempURLs will make it impossible for the user
to reboot the instance when TempURLs time out or image is deleted from
Glance/Swift.
Change-Id: I106cc6148c329e784bfbb5019fdfeb0509a9de09
Closes-Bug: #1526404
Co-Authored-By: Andrey Shestakov <ashestakov@mirantis.com>
This change adds a new policy setting, "show_instance_secrets", whose
behavior mirrors that of the existing "show_passwords" policy setting.
Whereas "show_passwords" has historically blocked all sensitive
information from the node's driver_info field, the new setting blocks
all sensitive information from the node's instance_info field, including
image_url.
The name of the old setting, "show_passwords", is not being changed at
this time because such a change is not backwards-compatible. Instead,
the documentation string for this setting has been changed to clarify
what it does. Note that the behavior has not actually changed.
Note that this change moves the policy.check("show_password") call from
the Pecan hook into the API's Nodes() class, where the
policy.check("show_instance_secrets") is also added. This makes the code
a little cleaner and more maintainable, especially if we want to add any
more checks like this in the future.
As a result of this cleanup, the ironic-specific
RequestContext.show_password property is removed.
Partial-bug: #1530972
Partial-bug: #1526752
Related-bug: #1613903
Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600
When no boot mode is explicitly passed to iLO drivers, it picks
default boot mode based on series of factors like, pending boot
mode setting, UEFI boot mode support on the node. This causes
confusion to the users as these factors are node specific and
beyond user's control. User expects a predictable behavior when
no boot mode is explicitly passed.
A new configuration parameter '[ilo]/default_boot_mode' has
been added to specify default boot mode. It would be used if no
boot mode is explicitly passed to iLO drivers.
Change-Id: I4efd28985674bedabe42fe786135255698425321
Closes-Bug: #1604002
This patch is adding a new configuration option called
"erase_devices_metadata_priority" to allow users to configure the priority
(and enabling/disabling) of the "erase_devices_metadata" cleaning step.
The documentation will be done in a subsequent patch.
Partial-Bug: #1603411
Change-Id: I110008b3d738de0b5d2add68c9d54a4a147fc007
This patch adds the code to collect the deployment logs from the IPA
ramdisk. The logs can be collect for every deployment, upon a failure or
never. By default, logs are collected upon a failure.
After collection, logs can be storaged either in the local filesystem
(default) or in Swift.
If an error occurs when the logs are being collected, storaged or if the
ramdisk does not support the collect_system_logs command Ironic will log
an error message, but the deployment will proceed.
Documentation on how to enable and other configuration will be done on a
subsequent patch.
Partial-Bug: #1587143
Change-Id: I6da1110daa94ea25670f71f9862e51cc9bbc6f93
Introduces new /v1/lookup and /v1/heartbeat/<UUID> endpoints
(and associated controllers).
This change does not deprecate the old passthru endpoints, it should
be done after IPA switches to using the new ones.
Change-Id: I9080c07b03103cd7a323e2fc01be821733b07eea
Partial-Bug: #1570841
This change is about adding the ability to the OneView drivers of
dynamically allocate OneView resources to Ironic. The current
version of the drivers consider what we call "pre-allocation" of
nodes, meaning that when a node is registered in Ironic, even if
it is not in use, this resource is still reserved in OneView.
This change will prevent such situations by allocating OneView
resources only at boot time, allowing both systems to really
share the same pool of hardware.
Change-Id: I43d1db490b4834080562946b8a6ca584ea36864d
Co-Authored-By: Lilia Sampaio <liliars@lsd.ufcg.edu.br>
Co-Authored-By: Xavier <marcusrafael@lsd.ufcg.edu.br>
Co-Authored-By: Hugo Nicodemos <nicodemos@lsd.ufcg.edu.br>
Co-Authored-By: Thiago Paiva Brito <thiagop@lsd.ufcg.edu.br>
Co-Authored-By: Caio Oliveira <caiobo@lsd.ufcg.edu.br>
Partial-Bug: #1541096
Implements more fine-grained policy support within our API service,
following the oslo policy-in-code spec, while maintaining compatibility
with the previous default policy.json file. An empty policy.json file is
included, along with a sample file listig all supported policy settings
and their default values.
A new tox target "genpolicy" has been added to ease automation of
sample policy file generation.
All calls to policy.enforce() have been replaced with with
policy.authorize() to avoid silent failures when a rule is undefined,
because enforce() does not raise() if the target rule does not exist.
NOTE: policy.enforce() is not removed by this patch, but a deprecation
warning will be logged if it this method is invoked.
Updates unit test coverage for the new authorize() method, as well as
more general unit test updates for some of the new rules.
Partial-bug: #1526752
Change-Id: Ie4398f840601d027e2fe209c17d854421687c7b7
We currently construct Keystone client objects directly, which
is no longer the preferred way. Instead, we should be using Sessions
which allows use of different auth plugins. This change attempts to
migrate our Keystone usage to this model.
Additionally, we currently rely on the imported keystonemiddleware
auth_token's configuration for all of the Keystone credentials used
by the Ironic service user. This is bad, as that config is internal
to that library and may change at any time. Also, the service user
may be using different credentials than the token validator.
This refactors the keystone module to use Sessions.
It attempts to provide some backward compat for users
who have not yet updated their config,
by falling back to the authtoken config section when required.
Operators impact:
- Authentification parameters for each service now should specified in
the corresponding config section for this service ([glance], [neutron]
[swift], [inspector]).
This includes providing both Keystone session-related options
(timeout, SSL-related ones) and authentification options
(`auth_type`, `auth_url` and proper options for the auth plugin).
- New config section `service_catalog` for Ironic service user
credentials, used to resolve Ironic API URL from Keystone catalog.
- If loading from the service config section fails, an attempt is made
to use respective options from [keystone_authtoken] section as a
fall-back for backward compatibility.
Implementation details:
- using keystoneauth1 library instead of keystoneclient
- For each service the keystone session is created only once and is
reused further. This lowers the number of authentification requests
made to Keystone but implies that only auth plugins that can
re-authentificate themselves can be used (so no *Token plugins).
This patch does not update the DevStack plugin, in order to test
backwards compatibility with old config options.
DevStack plugin will be modified in a subsequent patch.
Change-Id: I166eebefc1e1335a1a7b632149cf6441512e9d5e
Closes-Bug: #1422632
Related-Bug: #1418341
Related-Bug: #1494776
Co-Authored-By: Adam Gandelman <adamg@ubuntu.com>
This adds agent config options for metrics as described in the
spec, and allows those config options to be sent to IPA on
lookup. We're configuring heartbeat timeout this way, and this
change matches nicely with that style.
Additionally, this sets heartbeat_timeout under the new config
namespace for consistency, however, we'll allow the old way to
be deprecated when the vendor_passthru for agent lookups is
deprecated.
Change-Id: I94d81b95feabe46999dbbc02522508cd542a89f8
Co-Authored-By: Josh Gachnang <josh@pcsforeducation.com>
Partial-bug: #1526219
This adds support for the audit middleware to Ironic, allowing
the middleware to send two notifications per API request,
one for the request and another for the response.
This adds an option to enable or disable audit middleware.
Also to properly audit API requests passing conf options
via audit map file.
AuditMiddleware docs:
http://docs.openstack.org/developer/keystonemiddleware/audit.html
Co-Authored-By: Chris Krelle <nobodycam@gmail.com>
Closes-Bug: #1540232
Change-Id: I6de4751aa6b25e8457cae3eeab95a15f417662c5
iLO drivers do not validate iLO SSL certificate. This commit adds
support in iLO drivers to validate iLO SSL certificate.
Change-Id: Iff0d02799d3d9338b7dbdd77eab1f12f709a7765
Closes-Bug: #1599710
This change adds initial metrics for Ironic based on new support in
ironic-lib. Emits timing metrics for basic Ironic API calls.
Bumps ironic-lib to 2.0.0 in requirements to add metrics support, as
well as adding ironic_lib.metrics and ironic_lib.metrics_statds to
ironic-config-generator.conf to get them in the sample config, which
is also regenerated.
Change-Id: Ic35802e4cd11763ebbedb8ddc28f7e8dc535cc2f
Partial-bug: #1526219
This patch exposes the node's network_interface field in the REST API.
It also adds restrictions on the node states in which network
interface change is possible and whether the requested network
interface is enabled.
As a temporary solution until the driver composition work is completed,
we have taken an approach that requires all API and Conductor nodes to
have the same setting for enabled_network_interfaces. There are inline
notes in the code indicating where we will address this in the future.
Partial-bug: #1526403
Co-Authored-By: Om Kumar <om.kumar@hp.com>
Co-Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Sivaramakrishna Garimella <sivaramakrishna.garimella@hp.com>
Co-Authored-By: Vladyslav Drok <vdrok@mirantis.com>
Co-Authored-By: Zhenguo Niu <Niu.ZGlinux@gmail.com>
Change-Id: I67495196c3334f51ed034f4ca6e32a3e01a58f15
The [ilo]/clean_priority_erase_devices configuration option is
duplicated by [deploy]/erase_devices_priority, this patch is marking the
ilo configuration as deprecated.
The ironic.conf.sample was also updated to reflect the changes.
Closes-Bug: #1515871
Change-Id: I2bf18e35d97160d31a51c8447745bfd60c099af2
This patch adds a 'neutron' network interface. This interface
supports separate networks for provisioning and for cleaning of nodes.
Partial-bug: #1526403
Co-Authored-By: Vladyslav Drok <vdrok@mirantis.com>
Change-Id: Ia3442ab3536a1a8d8839b24dbfc640b818450350
This change also introduces two network interfaces:
* flat: Copies current neutron DHCP provider logic to work with
cleaning ports;
* noop: noop interface.
The default value of the network_interface is None, meaning that the
node will be using the default network interface. The default network
interface is determined the following way:
* if [DEFAULT]default_network_interface configuration option is set
(the default for it is None), the specified interface becomes the
default for all nodes;
* if it is not set, 'flat' interface will be used if the deployment
currently uses 'neutron' DHCP provider, otherwise 'noop' interface
will be used.
create_cleaning_ports and delete_cleaning_ports methods of the DHCP
providers are still being called in case of out-of-tree DHCP
providers, but this possibility will be removed completely in the
next release. If the DHCP provider logic is rewritten into a custom
network interface, please remove those methods from the provider, so
that network interface is called instead.
Partial-bug: #1526403
Co-Authored-By: Om Kumar <om.kumar@hp.com>
Co-Authored-By: Vasyl Saienko <vsaienko@mirantis.com>
Co-Authored-By: Sivaramakrishna Garimella <sivaramakrishna.garimella@hp.com>
Co-Authored-By: Vladyslav Drok <vdrok@mirantis.com>
Co-Authored-By: Zhenguo Niu <Niu.ZGlinux@gmail.com>
Change-Id: I0c26582b6b6e9d32650ff3e2b9a3269c3c2d5454
Move _build_client logic to ironic.common.neutron module.
In future module will contain common functions to Neutron.
Change-Id: I7b344d71d0f9ae34f7423099631bd25b5c5359bd
Operators should be able to choose if they wish to fallback when
a disk based secure erase operation fails.
Adds a configuration option to be passed to the agent during
cleaning operations in order to allow that decision to prevent
failed secure erase operations from causing the node to go into
CLEANFAIL state by enabling fallback logic.
Change-Id: I13c0fef3a6aa1903bfe1f54ba4fafbeadd673666
Closes-Bug: #1536695
oslo_config provide a utility for generating sample config files,
which provide more detail about opts, like Minimum/Maximum value
and Allowed values.
So drop Ironic's "generate_sample.sh" which was copied from
oslo-incubator long time ago.
Add a new entry point "ironic" under oslo.config.opts namespace to
explore config options to oslo-config-generator.
After this patch, new config options of Ironic code should register
with ironic/conf/opts.py. New external libraries should
register with tools/config/ironic-config-generator.conf
There is a bug #1554657 with oslo-config about deprecated_group.
This bug have impact of some configs from keystonemiddleware
and oslo.messaging in ironic.conf.sample
So currently, deprecated option should always add the deprecated_group
even it didn't alter the group, otherwise the deprecated group value will
be 'DEFAULT'.
Update etc/ironic/ironic.conf.sample via running 'tox -egenconfig'.
Closes-Bug: #1564195
Change-Id: If7721e98e69b6f54f1ee04a07477396b86583371
