The doc8 linter found several syntax problems in our docs; primarily a
large number of places we used single-backticks to surround something
when we should've used double-backticks.
This is frontrunning a change that will add these checks to CI.
Change-Id: Ib23b5728c072f2008cb3b19e9fb7192ee5d82413
This adds a wsgi entrypoint module which can be used with a wsgi runner,
such as uwsgi, to launch Ironic API processes without the need of a
separate script.
The legacy WSGI script is currently being installed by PBR, and as part
of the migration to a pyproject.yaml-compatible PBR, we cannot use the
wsgi-scripts plugin anymore, and will be removing the script installed
by it in a future Ironic release.
The new WSGI script, because it has statements at the module top-level,
cannot be autodocumented; we now exclude it.
Also we don't treat all warnings as errors in pdf docs builds to allow
the use of mock autosummary, starting with including the wsgi module.
Co-Authored-By: Doug Goldstein <cardoe@cardoe.com>
Change-Id: I584ac6a25c4e6cd9744a609b50d12b434a930dc6
Added some documentaition that details how to change the ironic localdev microversion for testing purposes.
Rendered View: https://files.mcaq.me/944ch.png
Change-Id: I1e21a12ad1413046a41f856ddf229e399f82523a
Centos Stream and ultimately RHEL have switched to asynchronous
device initialization, which impacts root device hints and their
usability on those systems, in large part because context which
people have traditionally had, no longer holds true on those newer
kernels.
This doc update attempts to provide the needful context to guide
operators to the best possible outcome given the distribution changes.
Change-Id: I541086cfe235b10f1f1dba95fad95022a22f9ce7
While working another issue, we discovered that support added to
the ironic-conductor process combined the image_download_source
option of "local" with the "force_raw" option resulted in a case
where Ironic had no concept to checksum the files *before* the
conductor process triggered an image format conversion and
then records new checksum values.
In essence, this opened the user requested image file to be
suspetible to a theoretical man-in-the-middle attack OR
the remote server replacing the content with an unknown file,
such as a new major version.
The is at odds with Ironic's security model where we do want to
ensure the end user of ironic is asserting a known checksum for
the image artifact they are deploying, so they are aware of the
present state. Due to the risk, we chose to raise this as a CVE,
as infrastructure operators should likely apply this patch.
As a note, if your *not* forcing all images to be raw format
through the conductor, then this issue is likely not a major
issue for you, but you should still apply the patch.
This is being tracked as CVE-2024-47211.
Closes-Bug: 2076289
Change-Id: Id6185b317aa6e4f4363ee49f77e688701995323a
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
This patch adds some initial documentation
for the update step available via
the redfish firmware interface.
Change-Id: I4a70e2e78d725fd96a2ddd116c6d6e0d9c3b9639
The feature is no longer considered experimental. Remove a few warnings
and wordings to reflect the current state.
Change-Id: I1a3dcb54e3a948aa9fc6f59d67f72de51df20e84
This a continuation to the efforts to ensure that the documentation is free from typos and grammatical mistakes so that the reader is not confused. Includes fixes for some of the documentation in doc/source/admin/*
Change-Id: I9ff40f1982ffad86a41e44395b6bee3a8dbfe43a
It was recently learned by the OpenStack community that running qemu-img
on untrusted images without a format pre-specified can present a
security risk. Furthermore, some of these specific image formats have
inherently unsafe features. This is rooted in how qemu-img operates
where all image drivers are loaded and attempt to evaluate the input data.
This can result in several different vectors which this patch works to
close.
This change imports the qemu-img handling code from Ironic-Lib into
Ironic, and image format inspection code, which has been developed by
the wider community to validate general safety of images before converting
them for use in a deployment.
This patch contains functional changes related to the hardening of these
calls including how images are handled, and updates documentation to
provide context and guidance to operators.
Closes-Bug: 2071740
Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
Ironic already has support for automatically setting a lessee on
deployment, but it is only supported for direct deployments with Ironic,
as it uses request context which is not preserved in the Nova driver.
Now, when combined with the related Nova change, Ironic can support this
behavior for fully integrated installations. On deploy time, Nova will
set several fields -- including project_id -- in instance info. If
enabled, Ironic will then use that project_id as the automatic lessee.
The previous behavior of using the project_id from the request context
is still supported as a fallback.
This is being tracked in nova as blueprint ironic-guest-metadata.
Closes-Bug: #2063352
Change-Id: Id381a3d201c2f1b137279decc0e32096d4d95012
Many testing scenarios, including testing "full size" DIB ramdisks
instead of using tinyipa, require adjustment of our proscribed values
for Ironic VM size. Document this in the devstack guide.
Change-Id: I58823fa19d65c12ea2f9229394080f83d1d397f4
With the removal of the wsman interfaces in the idrac driver and only
redfish being supported, the idrac driver should inherit from the
redfish driver to ensure that it properly supports all the redfish
supported interfaces. Furthermore with several of the interfaces being
no-op passthru to the redfish implementation there is no reason to not
let the user select those interfaces as well. With an eye towards not
having to support these in the future, direct users to use the stock
redfish versions in the docs as well.
Change-Id: I79ab44f31660e6d5311db46223e8bd60d2b3f213
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Lots of references to deprecated ways of doing things, as well as two
entire separate sections dedicated to how disk erasure works.
Also ensured we reference new valid config options surrounding disk
erasure.
Additional improvments could include adding documentation around how to
skip disks per node (or linking to any preexisting docs around it).
Change-Id: Ifa029e26eff0637b443d094d85e773b885d0979b
Since we're a plugin, the TARGET_BRANCH instructions in the normal
devstack guide are not enough. We should specifically instruct people to
avoid this pitfall.
Change-Id: I7c9fd98c582984036e0b19714b8f387a31e8715f
Currently, if the inspection network is not provided, neutron-based
network interfaces fail with something like:
Driver redfish does not support inspection (disabled or not implemented)
This is utterly misleading. Use a hand-crafted error message instead.
Same for the PXE boot interface. Also add missing documentation.
Change-Id: I79086db1c270e02a6c74b870acc336e8da54dea3
The documentation contains a significant amount of grammar mistakes.
This could cause confusion in certain scenarios to correctly understanding the
context. Starting to go though the documentation and pushing this commit
as a start.
Change-Id: If2c18909a83ba501b5ffae494934fb631b009e54
Update api-ref, documentation to reflect the new
endpoints and the new way to set node provision state.
Related-Bug: #2027690
Change-Id: I2106691c08eb04d1001ccf97e6e08fc811356874
Implement cross-referencing to configuration options
through out the Ironic documentation.
Closes-Bug: #2076111
Change-Id: I28712a3a92eb7e7d9875e49ea3ed8800168262fe
Ironic docs improvements. Addressing one of the issues from
the Ironic documentation audit. Using gerunds in titles and
including *Ironic* in the title to improve SEO.
Closes-Bug: #2072351
Related-Bug: #2072349
Change-Id: I9f9c47654386df416b51e8a0cd48f5a89f55e799
Adds runbooks; the new API feature that makes it possible for
project members to self-serve maintenance tasks through curated step
lists associated with target nodes via traits.
In addition to basic CRUD support, runbook extends current API flow for
performing manual cleaning and servicing to support runbooks in lieu of
an explicit/arbitrary ``clean_steps`` and ``service_steps`` user-defined
lists.
Demo Video: https://youtu.be/00PJS4SXFYQ
Closes-Bug: #2027690
Change-Id: I43555ef72cb882adcada2ed875fda40eed0dd034
To utilize the idrac-redfish interfaces, you need the sushy-oem-idrac
package to be installed along side of sushy itself.
Change-Id: I3376cd0b40fce49345121ad84d35749241e9dbe8
