Currently Permissive is treated like Disabled for bootc install which
means the written operating system will also have SELinux disabled.
This change treats Permissive like Enforcing, with the assumption that
Permissive is "enough" SELinux enforcement for bootc install.
Likely all IPA builds on SELinux distros are set to Permissive[1], which
means it is currently not practical to provision a SELinux enabled bootc
system.
[1] https://opendev.org/openstack/ironic-python-agent-builder/src/branch/master/dib/ironic-ramdisk-base/element-deps#L3
Change-Id: Id8a049b242a8c7e38103afc988749ecb2a787ce4
Signed-off-by: Steve Baker <sbaker@redhat.com>
The enable_vlan_interfaces config option supports a comma-separated list
of <interface>.<vlan> pairs. However, using this relies on knowledge of
the interface name. When used via the ipa-enable-vlan-interfaces kernel
command-line parameter, an interface name may be hard to predict.
As an alternative to identifying interfaces by name, support identifying
them by MAC.
Change-Id: Ice822a8e7b8d82352b3b39f87d930bef3eb7b461
Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
While we didn't traditionally log all API requests in IPA, it's a good
idea. This code is derived from the code in Ironic to do the same thing.
Assisted-by: Claude-code
Change-Id: I94de68ec7a251830b3e393485154233b0b908e06
Signed-off-by: Jay Faulkner <jay@jvf.cc>
The test was taking 30 seconds due to _find_routable_addr()
entering a retry loop even when no IPs were collected from
unreachable API URLs. The code would loop 3 times with 10
second sleeps between attempts despite having nothing to check.
Add an early return when the ips set is empty to avoid
unnecessary retries.
Change-Id: I21892e0ea7351cabab740a86fc82ff7d087d4cb8
Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
When Ironic uses out-of-band management interfaces like Redfish,
iDRAC, iLO, or iRMC, the BMC address is already known and configured
in Ironic. This change allows the agent to skip BMC address detection
via ipmitool when instructed by Ironic through the lookup response.
This reduces deployment time by avoiding unnecessary ipmitool calls
during hardware inventory collection.
The agent now checks for the 'agent_skip_bmc_detect' flag in the
config section of the lookup response and skips BMC detection
accordingly. This flag is stored in the cached node data for use
during hardware inventory collection.
Depends-On: I6a432db3eb238894e0ed2676243ce69ec300a9eb
Assisted-By: Claude Sonnet 4.5
Change-Id: Id5470136defb981d1855e3c57cd16c03a6eb916e
Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
The _test_ip_reachability method was only using the hostname/IP
address when testing reachability, ignoring the port number from
the API URL. This caused LookupAgentIPError when the Ironic API
was running on a non-standard port (e.g., 6385).
This change modifies _test_ip_reachability to:
- Accept the full API URL instead of just an IP address
- Use the complete URL (including protocol and port) when testing
The _find_routable_addr method now passes the full api_url to
_test_ip_reachability instead of just the hostname, ensuring the
port is included in reachability tests.
Assisted-By: Claude Sonnet 4.5
Change-Id: Ibb407255cfcd5cf9617f040338561fd494e8b41f
Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
In rescue mode, the agent attempts to stop the heartbeater thread
even though it was never started, causing a RuntimeError. This fix
adds checks to ensure the heartbeater thread is alive before
attempting to stop it.
Assisted-By: Claude Sonnet 4.5
Change-Id: I3e97b10f2c7f3c454f0db2a3c3c8efb61ffeda5a
Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
The advertised ip for ironic API is checked only as routable but
it could still be unreachable, we need to check the actual
connectivity before assigning it.
Assisted-By: Claude Sonnet 4
Change-Id: I0adca5ad00ba419a7e2aa6883b3690b4507c25e5
Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>
The is_root_volume config option has been listed in the documentation
for a while, but has not been supported by the IPA.
With this patch, if there is a logical disk
in the target_raid_config with the setting is_root_volume: True,
it will be picked up as the root device (root_device hints
will not even be checked). Additionally, if is_root_volume: False,
for a volume then it will be excluded from the list of
possible root devices used by the root_device hints.
Depends-On: https://review.opendev.org/c/openstack/ironic-python-agent/+/965797
Change-Id: If195b8f2c471cd7cf3f690664c7f13b6cef10ce2
Signed-off-by: Jakub Jelinek <jakub.jelinek@cern.ch>
Signed-off-by: Morten Stephansen <morten.kaastrup.stephansen@cern.ch>
Added logic for matching hints with lists of WWN/Serial. These lists
appear when both lsblk and udev are used to fetch the information about
a device. One consequence of this is that it allows a device on the
skip list to be used as root device, thus overwriting the protected
data. This has previously been handled before matching the hints,
e.g. the removed section in hardware.py. This patch aims to fix the
problem globally by handling the issue inside the find_devices_by_hints
function.
Closes-bug: #2130410
Change-Id: I28129f2ededb37474025f35164d5dc9ece21ec8e
Signed-off-by: Morten Stephansen <morten.kaastrup.stephansen@cern.ch>
Signed-off-by: Jakub Jelinek <jakub.jelinek@cern.ch>
Marking PReP (PowerPC Reference Platform) partition support as
deprecated in ironic-python-agent. PReP partitions are used to boot
ppc64* systems. POWER hardware is a small, specialized share of today's
bare-metal deployments.
This is more or less a litmus test on whether PReP support should be
retired; highlighting the comment at: https://review.opendev.org/c/openstack/ironic-python-agent/+/958333?tab=comments&commentId=00ef1ecc_d1f149b9
Change-Id: I88081500f7f951ce3627944c2945d4cfbdbbf451
Signed-off-by: Afonne-CID <afonnepaulc@gmail.com>
The original implementation of the skip block devices for RAID arrays:
https://review.opendev.org/c/openstack/ironic-python-agent/+/852999
introduced a couple bugs which were uncaught:
1. Key error when a holder disk contains just logical disks on the skip list.
2. RAID arrays on skip list throw "Failed to remove partitions" because they are not removed from the list of remaining RAID devices when running wipefs
3. list_block_devices_check_skip_list does not match volume names to RAID arrays
4. MD superblock wrongly checked (detail instead of examine)
5. Partition tables are being created when a partition is on a skip list
6. EFI partition handling in a scenario when a partition on the same physical disk is not deleted
Closes-bug: #2080871
Signed-off-by: Jakub Jelinek <jakub.jelinek@cern.ch>
Signed-off-by: Morten Stephansen <morten.kaastrup.stephansen@cern.ch>
Change-Id: I59b65c6b69af2385ed8a5dcd427e4d9c91f90abe
There is a conditional which is supposed to check whether there are
any erasable devices. However, in the current state, the conditional
is wrong as the call is missing the node as a parameter.
Signed-off-by: Jakub Jelinek <jakub.jelinek@cern.ch>
Signed-off-by: Morten Stephansen <morten.kaastrup.stephansen@cern.ch>
Change-Id: I38768b9ba3dc1bb5160e5841865450a8d7df5466
In test_create_configuration_with_different_disks_skip_list there are redundant side-effects which are never used.
Change-Id: I7b6acbd6583831ba82d6a68ce0d8410ee0bd18a2
Signed-off-by: Morten Stephansen <morten.kaastrup.stephansen@cern.ch>
Some motherboards return UTF-8 for the efibootmgr. This results in IPA not being able to remove duplicate records, etc.
This change implements a check for UTF-16 compatibility and tries to decode efibootmgr output as UTF-8 otherwise.
Closes-bug: #2072336
Co-Authored-By: Jakub Jelinek <jakub.jelinek@cern.ch>
Change-Id: I35432773826d13edb1dc9dd25f99bb0907a8fa0d
Signed-off-by: Morten Stephansen <morten.kaastrup.stephansen@cern.ch>
Signed-off-by: Jakub Jelinek <jakub.jelinek@cern.ch>
Adds a tran field to the block device and allow to use it
as a root device hint.
Change-Id: I3fc83730a6100abb2b2aa98fc894713ecbbe3043
Closes-Bug: #2100951
Signed-off-by: Kaifeng Wang <kaifeng.w@gmail.com>
Adds a wall timeout `image_download_max_timeout` to enforce an upper
bound on total download duration.
While the per-chunk timeout protects against stalled reads, downloads
that trickle in just under the timeout threshold (e.g., due to heavy
TCP retransmits) can hang for longer than intended.
Now, if the total allowed time is exceeded, the download is aborted with
a non-retryable `ImageDownloadTimeoutError` regardless of per-chunk
retry or connection success.
A value of 0 (the default) disables this feature.
Closes-Bug: #2115995
Change-Id: I3b56d21abae0488853bfed14072ba21116d47baf
Signed-off-by: Afonne-CID <afonnepaulc@gmail.com>
Returning None means "exclude any device". It still works if the only
hardware manager is GenericHardwareManager, but enabling any more
without overriding filter_device causes all devices to get filtered.
Change-Id: I25eb028baa1b9182caee07a0b935e9fa107999a8
Closes-Bug: #2117234
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
Create a file efibootmgr with the verbose output of the efibootmgr command
when collecting the system logs. This can be used for debugging of boot order.
Change-Id: Ic957024d19bb01a45a3014dc2a5e4492d087e893
Signed-off-by: Jakub Jelinek <vilouskubajj@gmail.com>
... instead of using oslo.service. Current usage of oslo.service is
too limited to add the dependency, because
- oslo.service registers multiple options but only two of these are
used
- the wrap implementation from oslo.service is not actually used
Change-Id: I4e8f18951d73e329a54cf6546344c5704fe4aa90
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
My use case for this feature is to exclude network devices that use
the cdc_ether driver. These USB network interfaces often cause all sorts
of issues. For example, some models have the same hardcoded MAC address,
which breaks inspection.
Currently, to exclude a certain device, a hardware manager must override
the entire listing function (in my case, list_interfaces). Not only is
it tedious, but it also requires constantly updating the hardware
managers to match the implementation in GenericHardware. Realistically,
it will cause hardware manager authors to inherit GenericHardware, which
is the opposite of how hardware managers should be written.
Note that the node-level skip list only affects root device selection
and cleaning for block devices. This feature affects everything that
uses list_block_devices and is applied before the node-level skip list.
This change adds a new hardware manager call filter_device. For each
network, block or USB device, it allows a hardware manager to do either
of four things:
1. Delegate the decision to a lower level hardware manager by raising
IncompatibleHardwareMethodError
2. Remove the device by returning None
3. Change the device by returning a modified instance
4. Return the device unchanged to keep it in the listing.
Note that I'm removing debug logging when IncompatibleHardwareMethodError
is raised. Not only the log message is incorrect (the error does not
necessarily mean that the method is not implemented at all), it already
noticeable space in the logs, and with this change will become very
noisy.
Change-Id: I5437343af6c6157882bcf0600dd89bd20478c948
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
The current code in GenericHardware.evaluate_hardware_support ends up
using hardware manager calls, which then use partly initialized hardware
manager list and can even cause a recursion.
This change introduces a new optional call initialize() which is
guaranteed to run:
1) After all hardware managers have been evaluated
2) After the hardware manager cache is populated
3) In the order of the support level of hardware managers
Change-Id: I068d3d73483c161062aa3b48f3154a2d99941382
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
These objects are frequently logged or compared in unit tests.
It's very helpful to be able to inspect their content.
Change-Id: Ib725dcd5f54f4492205f95974d887b8b42c74039
When creating multiple software RAID logical disks that use different
sets of physical devices, the partition indices were incorrectly shared
across all devices. This caused the second RAID array creation to fail
because it tried to use partition indices that didn't exist on those
specific devices.
This change fixes the issue by tracking partition indices separately for
each physical device, ensuring that each device's partitions are numbered
correctly starting from their first available index.
Closes-Bug: #2115211
Change-Id: I440db4654f3d1d54274d1eee8c4b21c2b0a18d22
Signed-off-by: Mohammed Naser <mnaser@vexxhost.com>
Fetching the permanent MAC address of the interface instead of the
default one allows to get the right one in case it got changed during
setup (likely with a bonding setup).
In order to fetch the permanent MAC address of a given interface, one
can either use Netlink (either rtnetlink or ethtool), or use ethtool
ioctl.
The use of ioctl feels simpler and requires no additional dependency.
The implementation falls back to older behavior should an error occur.
Closes-Bug: #2103450
Change-Id: I54151990e396ddcf775128ca24d3db08e45c256d
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
This change removes several usages of eventlet from IPA:
- Upgrades all requirements on oslo library versions to new ones that
support non-eventlet use.
- Removes use of the eventlet wsgi server (via oslo_service.wsgi) and
replaces it with the cheroot wsgi server.
- Removes explicit patching of python modules with eventlet
Note that due to some oslo libraries still using ``eventlet`` to detect
and workaround it's use. This means that it is still installed in
environments alongside IPA, even if it's not used or patched into any
modules.
Depends-On: https://review.opendev.org/c/openstack/requirements/+/947727
Change-Id: I9accab2d5e9529a88ef5d3db85e76901f14114eb
