openstack/ironic-python-agent - ironic-python-agent - OpenDev: Free Software Needs Free Tools

Change-Id: I916fe8187fb9d8513852b620df133309fbc92af1

Using prlimits is incompatible with passing arguments as a list:
oslo.concurrency ends up executing something like:
/opt/ironic-python-agent/bin/python3 -m oslo_concurrency.prlimit \
 --as=2147483648 -- ['env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', \
 '/tmp/cirros-0.6.2-x86_64-disk.img', '--output=json']
Which obviously fails. I don't understand how our CI has worked so far,
but the Metal3 BMO suite fails on this.
Change-Id: I46dbcb0f73bcbe09bb89b5c7195259570412698e

In order to support a state of mid-cluster upgrades, IPA had logic
to permit the case of getting a call where we didn't have a token
but got token, which could happen in a deployment which is mid-upgrade.
The code now explicitly lacks that permissive logic because, at this
point, upgrades no longer need to be supported from the pre-victoria
clusters by current IPA.
Related-Bug: #2086865
Related-Bug: #2086866
Change-Id: Ia4c459158098f48cde4a6f6f9c96b25431a88081

This is a second attempt at securing the get command output endpoint
which could have data such as logs which could potentially have
sensitive details and information after the agent has completed
one or more actions.
Now, if a token is receieved, the agent locks out the command results
endpoint, and requires all future calls to include it.
This allows for the agent to be backwards compatible.
Special thanks go to cid for his first attempt at this, which I took
for the basis of some of the testing required.
Closes-Bug: #2086866
Co-Authored-By: cid@gr-oss.io
Change-Id: Ia39a3894ef5efaffd7e1d22cc6244059a32175ff

This reverts commit 6f860995c6.
Reason for revert: the change has broken virtually everyone who
has not updated Ironic before IPA. To make the matter worse, the
attached release note is not descriptive and does not explain
the upgrade impact.
The reverted change should be reworked to allow a graceful period.
Change-Id: I2a2a03dd8409af900b938494ceafd45a89e0c197

Securely handle state transition by locking down IPA at the final
stage of rescue operation to prevent restarts on tenant networks.
Closes-Bug: #2086865
Change-Id: I8e1be8da93a8c3fdf3cff7ad386c702d970d15f1

Currently, we only validate authentication tokens for POST but not
for GET requests which could mean anyone can retrieve command results
without authentication. Adding that uniformly across all command-related
endpoints.
Closes-Bug: #2086866
Depends-On: https://review.opendev.org/c/openstack/ironic/+/941607
Change-Id: Ib7f58b1694273beeb25314984c6e049376244d86

One of the "fun" aspects of accessing OCI images, is we have no way
to realistically gain awareness of the underlying disk format in the
OCI model, at least unless it is hinted at in the data model.
Where we're unable to really figure that out is when a user
supplies a specific digest URL. Ironic recognizes this and "right sizes"
the process and data discovery and explicitly notes the disk format it
believe to be 'unknown'.
In order for IPA to be able to stream, and appropriately check
this data format, IPA has be "okay" with 'unknown'. Everything else
appears good to get to this point. This doesn't prohibit the image
safety checking, just allows for the perception mismatch when the
format is 'unknown'
Change-Id: Ibe38245e906c659057a3c5ea7d8a0e474599ff5c

For the OCI artifact retrieval case, to enable authentication to be
passed from the conductor (in the form of a bearer token), we need to
be able to handle the case where this data is present, and then
initiate the connection with the appropriate token.
Change-Id: I380b32671cbc3a640bc5012ac241a7244750d117

Adds support for bootable containers to be deployed by the agent.
Related: https://review.opendev.org/c/openstack/ironic/+/937897
Change-Id: I66cb37d117d2afc335f015fb1fc31bdbd5c3cee5

Closes-Bug: #2091593
Change-Id: I9798359b12de8c427263e8fc25f79b6f033211c4

It's useful to have pci bus address/driver collected, the operator can
use the information to configure portgroup in a consistent way.
Change-Id: I432bca881ad881bae6d5e67c9b6fb52fe55b4e1e

flake8 checks recommend avoiding f-strings.
Change-Id: I1636cb45c73463b9b1d70ad784582beca277af4a
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

Fix this pep8 violation.
Change-Id: Ia69382a501791e3d11c045278c72073849cee20c
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

Change-Id: If3c8ed77587e4f36e6e9912c66eb9cd66700d515

Prevents the UnboundLocalError in erase_devices_express clean step.
Closes-Bug: #2095499
Change-Id: I01ce5005a62638ff960d2a75f225f882b2d56973

Debug messages from modprobe failing to load ipmi drivers can
be confusing and they do not add anything since they're
not really errors.
This patch silence the message in the logs.
Change-Id: I7452bc9e56148e3d423be92f384ff9aeffbe88d7

Related-Change: #939500
Change-Id: Id54f5bedd5c79c587bc4484914a8eb492e018010

Fail without retries when Errno 28 - "No space left
on device" error is encountered.
Closes-Bug: #2094854
Change-Id: Ie84b422916ddc02f2474164fe3da083324ef4824

Use just md<index> as the default volume name if a volume name is not defined.
The original change (https://review.opendev.org/c/openstack/ironic-python-agent/+/853182)
introduced an error:
mdadm: Value "/dev/md0" cannot be set as name. Reason: Not POSIX compatible.\n
This change fixes it.
Closes-Bug: #2073406
Change-Id: Ic8bd473801fcb92fc814f6ad4e1d6dc316783bf3

ironic-lib is being retired; this change imports any used code from
ironic-lib and updates references.
This contains some changes to how we throw exceptions; aligning
ironic-lib code with IPA practice to have all exceptions be a RESTError.
This also allows us to remove code around serializing ironic-lib
exceptions.
Change-Id: I137340ce6820c68d8e0f1a32668151bba7b1ddd7

Adds support for running burnin tests on GPUs
using gpu-burn[1]. Also refactors stress-ng code
to be a bit cleaner.
Requires gpu-burn to be pre-installed within the IPA.
* https://github.com/wilicc/gpu-burn
Co-Authored-By: Scott Solkhon <scottsolkhon@gmail.com>
Closes-Bug: #2069085
Change-Id: I8f8cace6ebc2b7f1c245c82a64609cdfc1c492f9

The crypt module was removed in Python 3.13 . Replace the module by
new methods from oslo_utils.secretutils .
Closes-Bug: #2083955
Change-Id: I61060fc13aabc8116c3d0f8ad50ee8c415675f31

Extended the function that expose BMC MAC address in inventory data
for an IPv6 only interface.
Previously, if no IPv4 address was configured, no mac address was exposed.
Change-Id: I93e49d308cfd63be1c09749ced4428a87a3daff9

To support a safer take-over from the provisioning to the tenant network
for hardware that cannot be powered off, this change introduces a new
command system.lockdown. When invoked, it stops the API, the heartbeater
and disables all network interfaces (if possible).
Partial-Bug: #2077432
Change-Id: I211fc64a46226127b0d82ab458029b3c702b3f74

This is largely required for the future lockdown command but can also be
used before the normal shutdown, especially in the sync command which is
currently used before an out-of-band shutdown command is issued.
In addition to a plain sync, the new command also tells the kernel to
drop its cached and issues a low-level sync command to each block
device.
Partial-Bug: #2077432
Change-Id: I3fc87b20bc5387a466b24ebc19b9982e4e368d20