openstack/ironic-python-agent - ironic-python-agent - OpenDev: Free Software Needs Free Tools

Using prlimits is incompatible with passing arguments as a list:
oslo.concurrency ends up executing something like:
/opt/ironic-python-agent/bin/python3 -m oslo_concurrency.prlimit \
 --as=2147483648 -- ['env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', \
 '/tmp/cirros-0.6.2-x86_64-disk.img', '--output=json']
Which obviously fails. I don't understand how our CI has worked so far,
but the Metal3 BMO suite fails on this.
Change-Id: I46dbcb0f73bcbe09bb89b5c7195259570412698e

To help ease upgrades to Victoria, IPA had a knob added
to enable operators to express if agent tokens were required
in their deployment. Since then, the feature is required, however
we left the logic enabling the fun upgrade case handling.
At this point, this knob serves no further use, and can be removed.
Change-Id: I202f06e1b6598a802c9853fb99201c55e7a40cb1

In order to support a state of mid-cluster upgrades, IPA had logic
to permit the case of getting a call where we didn't have a token
but got token, which could happen in a deployment which is mid-upgrade.
The code now explicitly lacks that permissive logic because, at this
point, upgrades no longer need to be supported from the pre-victoria
clusters by current IPA.
Related-Bug: #2086865
Related-Bug: #2086866
Change-Id: Ia4c459158098f48cde4a6f6f9c96b25431a88081

This is a second attempt at securing the get command output endpoint
which could have data such as logs which could potentially have
sensitive details and information after the agent has completed
one or more actions.
Now, if a token is receieved, the agent locks out the command results
endpoint, and requires all future calls to include it.
This allows for the agent to be backwards compatible.
Special thanks go to cid for his first attempt at this, which I took
for the basis of some of the testing required.
Closes-Bug: #2086866
Co-Authored-By: cid@gr-oss.io
Change-Id: Ia39a3894ef5efaffd7e1d22cc6244059a32175ff

This reverts commit 6f860995c6.
Reason for revert: the change has broken virtually everyone who
has not updated Ironic before IPA. To make the matter worse, the
attached release note is not descriptive and does not explain
the upgrade impact.
The reverted change should be reworked to allow a graceful period.
Change-Id: I2a2a03dd8409af900b938494ceafd45a89e0c197

Securely handle state transition by locking down IPA at the final
stage of rescue operation to prevent restarts on tenant networks.
Closes-Bug: #2086865
Change-Id: I8e1be8da93a8c3fdf3cff7ad386c702d970d15f1

Currently, we only validate authentication tokens for POST but not
for GET requests which could mean anyone can retrieve command results
without authentication. Adding that uniformly across all command-related
endpoints.
Closes-Bug: #2086866
Depends-On: https://review.opendev.org/c/openstack/ironic/+/941607
Change-Id: Ib7f58b1694273beeb25314984c6e049376244d86

One of the "fun" aspects of accessing OCI images, is we have no way
to realistically gain awareness of the underlying disk format in the
OCI model, at least unless it is hinted at in the data model.
Where we're unable to really figure that out is when a user
supplies a specific digest URL. Ironic recognizes this and "right sizes"
the process and data discovery and explicitly notes the disk format it
believe to be 'unknown'.
In order for IPA to be able to stream, and appropriately check
this data format, IPA has be "okay" with 'unknown'. Everything else
appears good to get to this point. This doesn't prohibit the image
safety checking, just allows for the perception mismatch when the
format is 'unknown'
Change-Id: Ibe38245e906c659057a3c5ea7d8a0e474599ff5c

For the OCI artifact retrieval case, to enable authentication to be
passed from the conductor (in the form of a bearer token), we need to
be able to handle the case where this data is present, and then
initiate the connection with the appropriate token.
Change-Id: I380b32671cbc3a640bc5012ac241a7244750d117

Change-Id: I938eaaf29e3bc803155baa11b450d4d92e349d58

Updates the release note for the bootable container work to
clarify the existence of the configuration option which can
be utilized to disable bootable container deployments in the
ramdisk.
Change-Id: I5b269947884c015db38cf98ac782472a62858455

This reverts commit 412c8f3f4d.
Reason for revert: This landed in the wrong branch!
Change-Id: Ia4729c01e3e07f368fe691f91c3a1648a94c6d30

Adds support for bootable containers to be deployed by the agent.
Related: https://review.opendev.org/c/openstack/ironic/+/937897
Change-Id: I66cb37d117d2afc335f015fb1fc31bdbd5c3cee5

Pin upper-constraints
Change-Id: Ideaf6a27ff01ed3f0dedba6df89202c5d7936817

Closes-Bug: #2091593
Change-Id: I9798359b12de8c427263e8fc25f79b6f033211c4

It's useful to have pci bus address/driver collected, the operator can
use the information to configure portgroup in a consistent way.
Change-Id: I432bca881ad881bae6d5e67c9b6fb52fe55b4e1e

Migrated the existing lints to pre-commit and switched some over to ruff
to follow the changes that have landed in the ironic repo.
Change-Id: I361ca1b8d4ac9738f9c45ba6a87c377f5aca22a8
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

In these cases two backticks must be used instead of one.
Change-Id: I85b00742a06ad1137a2d8f761432af97338995bb
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

flake8 checks recommend avoiding f-strings.
Change-Id: I1636cb45c73463b9b1d70ad784582beca277af4a
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

Fix this pep8 violation.
Change-Id: Ia69382a501791e3d11c045278c72073849cee20c
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>

Change-Id: If3c8ed77587e4f36e6e9912c66eb9cd66700d515

Prevents the UnboundLocalError in erase_devices_express clean step.
Closes-Bug: #2095499
Change-Id: I01ce5005a62638ff960d2a75f225f882b2d56973

Debug messages from modprobe failing to load ipmi drivers can
be confusing and they do not add anything since they're
not really errors.
This patch silence the message in the logs.
Change-Id: I7452bc9e56148e3d423be92f384ff9aeffbe88d7

Related-Change: #939500
Change-Id: Id54f5bedd5c79c587bc4484914a8eb492e018010

Fail without retries when Errno 28 - "No space left
on device" error is encountered.
Closes-Bug: #2094854
Change-Id: Ie84b422916ddc02f2474164fe3da083324ef4824

Follow-up to 939340 to add a release note about the bug-fix.
Change-Id: I202f22d40776ab5d3245b8e14021d1404a9f478d

Use just md<index> as the default volume name if a volume name is not defined.
The original change (https://review.opendev.org/c/openstack/ironic-python-agent/+/853182)
introduced an error:
mdadm: Value "/dev/md0" cannot be set as name. Reason: Not POSIX compatible.\n
This change fixes it.
Closes-Bug: #2073406
Change-Id: Ic8bd473801fcb92fc814f6ad4e1d6dc316783bf3

ironic-lib is being retired; this change imports any used code from
ironic-lib and updates references.
This contains some changes to how we throw exceptions; aligning
ironic-lib code with IPA practice to have all exceptions be a RESTError.
This also allows us to remove code around serializing ironic-lib
exceptions.
Change-Id: I137340ce6820c68d8e0f1a32668151bba7b1ddd7

Adds support for running burnin tests on GPUs
using gpu-burn[1]. Also refactors stress-ng code
to be a bit cleaner.
Requires gpu-burn to be pre-installed within the IPA.
* https://github.com/wilicc/gpu-burn
Co-Authored-By: Scott Solkhon <scottsolkhon@gmail.com>
Closes-Bug: #2069085
Change-Id: I8f8cace6ebc2b7f1c245c82a64609cdfc1c492f9

The crypt module was removed in Python 3.13 . Replace the module by
new methods from oslo_utils.secretutils .
Closes-Bug: #2083955
Change-Id: I61060fc13aabc8116c3d0f8ad50ee8c415675f31

Update the 2023.1 release notes configuration to build from
unmaintained/2023.1.
Change-Id: I0d8b1773367a61b326b5a6ff86ac1f126b15099b