The [inspector]update_pxe_enabled configuration option controls
whether the pxe_enabled field of a Port is updated during node
inspection. This patch adds logic to honor that setting.
Change-Id: I3e28e439b386c9f73e377b62513346bcadbd56b2
(cherry picked from commit 5a9efa070c)
(cherry picked from commit b476c1bc27)
It is possible that an agent is booting in an environment with firewalls
doing evil things like not closing sockets, or where a FIN-ACK never makes
it to the conductor, or whatever.
This can result in the client hanging and eventually timing out.
Ironic's agent client code automatically retries. Which is cool.
The agent records it got a command from the first attempt, and then again
from the retry. Everything goes swimmingly until Ironic goes to assess
if the agent is a "freshly booted" agent, or not. At which point, the
check logic would see the multiple "get_xxx_steps" calls in the agent
logs, and declare the agent not to be freshly booted due to the retry
attempts.
So instead, we now explicitly evaluate the results of the command in
whole to account for retires. This commit also adds additional tests
as the helper was previously only really being exercised with empty
lists in unit tests.
Closes-Bug: 2110698
Change-Id: I460751b761462dbb630368e474e207fed90f289a
(cherry picked from commit 91b28bc43b)
Turns out some of the standalone jobs, anaconda in particular,
can reference some artifacts on disk in such a way which causes
the security logic to block the request. This is an easy fix.
Change-Id: I79204117cdbffab1f619981767471475870b4571
(cherry picked from commit 42be33b52b)
Before this change, Ironic did not filter file:// paths when used as an
image source except to ensure they were a file (and not, e.g. a
character device). This is problematic from a security perspective
because you could end up with config files from well-known paths being
written to disk on a node.
The allowlist default list is huge, but it includes all known usages of
file:// URLs across Bifrost, Ironic, Metal3, and OpenShift in both CI
and default configuration.
For the backportable version of this patch for stable branches, we have
omitted the unconditional block of system paths in order to permit
operators using those branches to fully disable the new security
functionality.
Generated-by: Jetbrains Junie
Closes-bug: 2107847
Change-Id: I2fa995439ee500f9dd82ec8ccfa1a25ee8e1179c
We duplicated these disk_utils options in the security fix; disabling
use of them during doc runs.
Change-Id: I1a1eaf6f089c4fa52b030ce2fa82493cdc53f07a
The code here builds a dictionary from a glance v2 image object that
roughly resembles the glance v2 image object. The current behavior
nests the 'properties' set on the image under it's own 'properties' key
resulting in the image properties never being seen by the Ironic code.
The breakage results from the change from glanceclient to the SDK which
changed the shape of the returned object. The glanceclient object shape
was that of FakeImage while the SDK returns a Resource based object
which includes attributes for all possible fields which are defined at
the top-level of the object. Since the tests run against a different
value they did not cature the failure. Just changing to the SDK object
results in us copying all these new values to the properties dict which
is definitely not the intention. For maximum compatibility to backport
this filters any value not set from being set into properties and sets
the rest. The broken path is any user of get_image_properties()
(both copies from common/images and deploy_utils) checking for user
supplied properties.
Closes-Bug: 2099953
Change-Id: I1842e2651fd2bd8455646db9a3a80c3b9ece5c97
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
(cherry picked from commit 05734cfc95)
Some vendors insist that floppy images need to be exactly 1440 KiB in
size and have a suffix of ".img". Let's adapt to this and assume that
this doesn't break other vendors.
Closes-Bug: 2100276
Change-Id: I5be6380e8c8c3eac5bea1c189b205b05a9fae625
(cherry picked from commit 56dbf38ed8)
we see some slightly different errors returned in the wild
for some HW.
Change-Id: Ic822c8283600b658ba5ff7bc007cb95352d82a86
Related-Bug: #2085137
(cherry picked from commit 80540bb52d)
When mixing in-band out-of-band steps, the out-of-band status polling
flag was not being cleared, and was being left to remain in the node
driver_internal_info field, thus preventing future heartbeat operations
from the baremetal node from being processed to check the actual
completion status of a step.
We now always clear the field based upon the workflow in-progress
before starting a new step and should asynchronous steps also
be recorded as a result of any step's actions such as if a reboot
is required.
Special thanks goes to keekz for promptly providing upstream with
the information necessary for us to identify the root cause.
Closes-Bug: 2096938
Change-Id: I5198d9169cff8474c7a990332639b2d0758e6e1a
(cherry picked from commit 5db194c503)
The redfish_password option is optional, make sure that the SessionCache
does not throw an error when it is not set.
Closes-Bug: 2097019
Change-Id: Idf792c982a883a4c07ae1dad72e3c54bc73b96a1
(cherry picked from commit 91b656d31c)
Somehow... the hold and wait steps were dropped or were lost in
from when hold/wait step logic was developed. This fixes it and
adds them to a test which exercises the validation logic.
Also takes into account the unhold verb call from Dmitry's change
in https://review.opendev.org/c/openstack/ironic/+/913707 and
adds a test accordingly.
Change-Id: I8c23db46b4a5772d907f6c73ed5b975fdaaf80c8
(cherry picked from commit b6275912c2)
codespell get updated from time to time and finds "new" spelling issues,
but we don't want to keep amending stable branches for that, so drop
this job here.
Change-Id: Idc7a812cf11d4750cf123b2273be35a7fdb66326
The fix for CVE-2024-47211 results in image checksum being required in
all cases. However there is no requirement for checksums in
file:// based images.
This change checks for this situation. When checksum is missing for
file:// based image_source it is now calculated on-the-fly.
Change-Id: Ib2fd5ddcbee9a9d1c7e32770ec3d9b6cb20a2e2a
(cherry picked from commit b827c7bf72)
This commits makes sure we call update_node_cache
after we finish a successful cleaning/servicing.
Change-Id: I62403120c758caac38a4d2b3912a9c43f65161cc
(cherry picked from commit f6904d9783)
I have requested a new release from dnsmasq here:
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q4/017828.html
but until they perform one, we should at least checkout and build
a version of dnsmasq with this fix, instead of downgrading to one that
is slightly less broken.
Related-Bug: 2026757
Change-Id: I8abac5fa729035341c90d7881cb35aff751da101
(cherry picked from commit 360e21124c)
In the runbooks change, I43555ef72cb882adcada2ed875fda40eed0dd034,
new policies were added for a user sending a list of service steps
or clean steps to the API.
This was done with the generic check_policy helper, however the helper
does not understand how to populate the ``node`` mapping data to enable
RBAC rule value matching. Doing so requires a special node policy
checker method.
As such, the policy checker was changed, and additional tests were added.
One final note, strucutrally the new policies were being checked *after*
we stated to do state verification of the request. RBAC checks should be
performed upfront... which also eases the burden of testing the RBAC
model. Accordingly, the policy checks were moved together
in the provision state logic.
Closes-Bug: 2086823
Change-Id: I18c56cb4becf9e6181689ddc0f1c7433327a3aa6
(cherry picked from commit bf644e8274)
The option's help says that the option is ignored when fast track is on,
but in reality it only happens with the legacy inspection.
The clean-up logic diverges between the two inspection implementation,
so change the new implementation to reuse the old clean-up code.
Add a few missing unit tests.
Change-Id: I2e84aa285b5673bcc911d35439ba80a739460f59
(cherry picked from commit 4f40ddef26)
The unittests want qemu-img available now so add that as a dependency
that users need to install before running the tests.
Change-Id: I2169988c653088115c7b388113b5e76e721e2429
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
(cherry picked from commit 2cb56f8b99)
When we were fixing the qemu-img related CVE, in our rush we didn't
realize that the logic for storage sizing, which only falls back to
actual size didn't match the prior interface exactly. Instead of
disk_size, we have actual_size on the format inspector.
This was not discovered because all of the code handling that side
of the unit tests were mocked.
Anyhow, easy fix.
Closes-Bug: 2083520
Change-Id: Ic4390d578f564f245d7fb4013f2ba5531aee9ea9
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_source
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4f4363ee49f77e688701995323a
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
Both the driver and the conductor code try to transition the node to
INSPECTFAIL, with the 2nd attempt failing. Rework the driver code to
only do implementation-specific clean-up. Also safeguard the conductor
code against this case.
Change-Id: Ie1c64b4807ecf29fa0da54501798d363675977c8
(cherry picked from commit 8a6b5eb8c3)
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/2024.2 branch, tests will
continue to use the upper-constraints list on master.
Change-Id: Ic23671eda898679b54a36e79029fb276856f09da
This environment was used by SQLAlchemy 1.4 and is no longer necessary
since SQLAlchemy was bumped to 2.0 .
Change-Id: I0e01f61529b633251f99d5a1a3e00ffca6c8837f
Adds microversion headers to the root endpoint so the '/' and '/v1'
endpoints consistently include microversion headers.
Closes-Bug: #2079023
Change-Id: Iea78b33e04e256c1139dd46a25f6d6a2be8e1ccc
The qemu-img command is required not only in Red Hat family but in
the other families such as Ubuntu, Debian or OpenSUSE.
Ensure the command is installed by bindep.
Change-Id: I94960fc644e2b8524d14633960a88a71437f0618
