openstack/ironic-python-agent - ironic-python-agent - OpenDev: Free Software Needs Free Tools

Depends-On: https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/950235
Change-Id: I44fd4cd6e9cc52f884d14a5c8d0478d02d5b57ee

Fetching the permanent MAC address of the interface instead of the
default one allows to get the right one in case it got changed during
setup (likely with a bonding setup).
In order to fetch the permanent MAC address of a given interface, one
can either use Netlink (either rtnetlink or ethtool), or use ethtool
ioctl.
The use of ioctl feels simpler and requires no additional dependency.
The implementation falls back to older behavior should an error occur.
Closes-Bug: #2103450
Change-Id: I54151990e396ddcf775128ca24d3db08e45c256d
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>

This change removes several usages of eventlet from IPA:
- Upgrades all requirements on oslo library versions to new ones that
 support non-eventlet use.
- Removes use of the eventlet wsgi server (via oslo_service.wsgi) and
 replaces it with the cheroot wsgi server.
- Removes explicit patching of python modules with eventlet
Note that due to some oslo libraries still using ``eventlet`` to detect
and workaround it's use. This means that it is still installed in
environments alongside IPA, even if it's not used or patched into any
modules.
Depends-On: https://review.opendev.org/c/openstack/requirements/+/947727
Change-Id: I9accab2d5e9529a88ef5d3db85e76901f14114eb

These files are not actually executable.
Change-Id: Id4208a91c005b8199d62320882c4f14dcd7f7761

Change-Id: Id85563015b3ea9e2802baa7b8ab1ca1d858568d5

The non-redfish standalone job is pending removal from Ironic.
Change-Id: I2b6d542ce7af3eeeff23f06e43e82de5d7b09701

- Implemented manual cleaning
- Refactored the code
Change-Id: I301aaf9dfd6aff90f505148b65e75033f5043553

Update container-based cleaning hardware manager to use ironic
conductor config.
Note:
- Moved conf variables from __init__ and evaluate_hardware_support
 as the config overwritten after those process
- Utilized getattr instead of making methods beforehand. The methods
 created don't stick for a new instance.
Partial-Bug: #2100556
Change-Id: I53d5a4f112fbed455d5574840611ef6ea2db3eae

- Python 3.13 uses time.time_ns for logging
https://github.com/python/cpython/blob/main/Lib/logging/__init__.py#L303
Change-Id: I3de44cc0fda662f3d5b1c6ea8add973cf2ed3bd9

Change-Id: I54dc23d8e8cec12a4685a82c4807ddd6a2267533

Eventlet patches two things in socket, effectively:
- create_connection
- various greendns things
By adding this environment variable, we're going to disable a large portion of the greened module code in IPA, which will be a boost to our migration off.
Change-Id: I1f94238c8d83f9e7cb0f7e096172ffb7c20c862b

Implement container-based cleaning process
Partial-Bug: #2100556
Change-Id: I39b92462d1454df888fc413e0aac439b9df199f7

Add 'interface': 'deploy' to the clean step configuration to avoid the error
Change-Id: Ie2297fc3375f6e0a389fa19789506a72fcf967e7

Add file to the reno documentation build to show release notes for
stable/2025.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2025.1.
Sem-Ver: feature
Change-Id: I259249774c39e95b214e77b2ae632c7278e78754

The referenced bug looks mostly fixed. This patch is basically
closing it.
Closes-Bug: #2039072
Change-Id: I22b80f2c995c365e9f19c3a06c80656cb6ce8922

Change-Id: I916fe8187fb9d8513852b620df133309fbc92af1

Using prlimits is incompatible with passing arguments as a list:
oslo.concurrency ends up executing something like:
/opt/ironic-python-agent/bin/python3 -m oslo_concurrency.prlimit \
 --as=2147483648 -- ['env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', \
 '/tmp/cirros-0.6.2-x86_64-disk.img', '--output=json']
Which obviously fails. I don't understand how our CI has worked so far,
but the Metal3 BMO suite fails on this.
Change-Id: I46dbcb0f73bcbe09bb89b5c7195259570412698e

To help ease upgrades to Victoria, IPA had a knob added
to enable operators to express if agent tokens were required
in their deployment. Since then, the feature is required, however
we left the logic enabling the fun upgrade case handling.
At this point, this knob serves no further use, and can be removed.
Change-Id: I202f06e1b6598a802c9853fb99201c55e7a40cb1

In order to support a state of mid-cluster upgrades, IPA had logic
to permit the case of getting a call where we didn't have a token
but got token, which could happen in a deployment which is mid-upgrade.
The code now explicitly lacks that permissive logic because, at this
point, upgrades no longer need to be supported from the pre-victoria
clusters by current IPA.
Related-Bug: #2086865
Related-Bug: #2086866
Change-Id: Ia4c459158098f48cde4a6f6f9c96b25431a88081

This is a second attempt at securing the get command output endpoint
which could have data such as logs which could potentially have
sensitive details and information after the agent has completed
one or more actions.
Now, if a token is receieved, the agent locks out the command results
endpoint, and requires all future calls to include it.
This allows for the agent to be backwards compatible.
Special thanks go to cid for his first attempt at this, which I took
for the basis of some of the testing required.
Closes-Bug: #2086866
Co-Authored-By: cid@gr-oss.io
Change-Id: Ia39a3894ef5efaffd7e1d22cc6244059a32175ff

This reverts commit 6f860995c6.
Reason for revert: the change has broken virtually everyone who
has not updated Ironic before IPA. To make the matter worse, the
attached release note is not descriptive and does not explain
the upgrade impact.
The reverted change should be reworked to allow a graceful period.
Change-Id: I2a2a03dd8409af900b938494ceafd45a89e0c197

Securely handle state transition by locking down IPA at the final
stage of rescue operation to prevent restarts on tenant networks.
Closes-Bug: #2086865
Change-Id: I8e1be8da93a8c3fdf3cff7ad386c702d970d15f1

Currently, we only validate authentication tokens for POST but not
for GET requests which could mean anyone can retrieve command results
without authentication. Adding that uniformly across all command-related
endpoints.
Closes-Bug: #2086866
Depends-On: https://review.opendev.org/c/openstack/ironic/+/941607
Change-Id: Ib7f58b1694273beeb25314984c6e049376244d86

One of the "fun" aspects of accessing OCI images, is we have no way
to realistically gain awareness of the underlying disk format in the
OCI model, at least unless it is hinted at in the data model.
Where we're unable to really figure that out is when a user
supplies a specific digest URL. Ironic recognizes this and "right sizes"
the process and data discovery and explicitly notes the disk format it
believe to be 'unknown'.
In order for IPA to be able to stream, and appropriately check
this data format, IPA has be "okay" with 'unknown'. Everything else
appears good to get to this point. This doesn't prohibit the image
safety checking, just allows for the perception mismatch when the
format is 'unknown'
Change-Id: Ibe38245e906c659057a3c5ea7d8a0e474599ff5c

For the OCI artifact retrieval case, to enable authentication to be
passed from the conductor (in the form of a bearer token), we need to
be able to handle the case where this data is present, and then
initiate the connection with the appropriate token.
Change-Id: I380b32671cbc3a640bc5012ac241a7244750d117

Change-Id: I938eaaf29e3bc803155baa11b450d4d92e349d58

Updates the release note for the bootable container work to
clarify the existence of the configuration option which can
be utilized to disable bootable container deployments in the
ramdisk.
Change-Id: I5b269947884c015db38cf98ac782472a62858455

This reverts commit 412c8f3f4d.
Reason for revert: This landed in the wrong branch!
Change-Id: Ia4729c01e3e07f368fe691f91c3a1648a94c6d30

Adds support for bootable containers to be deployed by the agent.
Related: https://review.opendev.org/c/openstack/ironic/+/937897
Change-Id: I66cb37d117d2afc335f015fb1fc31bdbd5c3cee5

Pin upper-constraints
Change-Id: Ideaf6a27ff01ed3f0dedba6df89202c5d7936817