summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordparalen <vetrisko@gmail.com>2017-04-18 18:49:40 +0200
committerdparalen <vetrisko@gmail.com>2017-05-17 16:36:38 +0200
commit57ad6f6ddce3c1c672b7de13a760076b5ba16c1a (patch)
tree27a40f463cd1fc1bb19e84219d372902aa733471
parentd425662f8b4209a379f510c463d40d3b5b60f6d6 (diff)
Follow up PXE filter driver
This is a follow-up[1] patch updating the driver interface specification replacing the low-level filter interface with a single method sync() to avoid stale filter state if the lists are not passed through a single call. The suggestion to keep the introspection data for the lifetime of a node is removed too. Some driver implementation suggestions are added with neutron, dnsmasq and iptables in mind. [1] I7022d10fd22e6e141e59d0596402f43d2dcde056 Change-Id: I260223b364f3550391c99bdc6214a0355fe6b565
Notes
Notes (review): Code-Review+1: Bob Fournier <bfournie@redhat.com> Code-Review+2: Anton Arefiev <aarefiev@mirantis.com> Code-Review+2: Sam Betts <sam@code-smash.net> Workflow+1: Sam Betts <sam@code-smash.net> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Thu, 18 May 2017 12:44:20 +0000 Reviewed-on: https://review.openstack.org/457765 Project: openstack/ironic-inspector-specs Branch: refs/heads/master
-rw-r--r--specs/multiple-pxe-filtering-backends.rst56
1 files changed, 31 insertions, 25 deletions
diff --git a/specs/multiple-pxe-filtering-backends.rst b/specs/multiple-pxe-filtering-backends.rst
index a343f00..f9a5493 100644
--- a/specs/multiple-pxe-filtering-backends.rst
+++ b/specs/multiple-pxe-filtering-backends.rst
@@ -54,15 +54,9 @@ items:
54* ``init_filter(self)`` may be synchronous; initializes internal filter state. 54* ``init_filter(self)`` may be synchronous; initializes internal filter state.
55 This method may perform system-wide filter state changes. 55 This method may perform system-wide filter state changes.
56 56
57* ``whitelist_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous; 57* ``sync(self, ironic=None)`` called in a background thread; performs the
58 enables the DHCP requests from these nodes. 58 synchronization between **ironic**, **inspector** and the driver internal
59 59 state e.g updating ``iptables``.
60* ``blacklist_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
61 disables the DHCP requests from specified nodes.
62
63* ``remove_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
64 removes nodes no longer tracked by **ironic/inspector** from both the filter
65 lists.
66 60
67* ``tear_down_filter(self)`` may be synchronous; resets internal filter state. 61* ``tear_down_filter(self)`` may be synchronous; resets internal filter state.
68 This method may perform system-wide filter state changes. 62 This method may perform system-wide filter state changes.
@@ -70,14 +64,13 @@ items:
70This abstract interface shall reside in **inspector** tree, together with an 64This abstract interface shall reside in **inspector** tree, together with an
71``iptables`` and a ``noop`` driver implementation. 65``iptables`` and a ``noop`` driver implementation.
72 66
73Any driver-specific High-Availability concerns (such as leader election) are 67In addition, a *generic* ``get_periodic_sync_task`` filter driver method shall
74out of scope of this spec and the **inspector** code base and should be 68be provided that particular driver implementations may consider overriding to
75addressed by particular drivers internally. 69e.g opt-out from the periodic synchronization.
76 70
77We also suggest to drop introspection status cache cleaning to reduce the 71Any driver-specific High-Availability concerns are out of scope of this
78synchronization between the filter and **ironic** and remove the periodic 72spec and the **inspector** code base and should be addressed by particular
79firewall update procedure in favor of the periodic **ironic** synchronization 73drivers internally.
80procedure.
81 74
82Alternatives 75Alternatives
83------------ 76------------
@@ -135,9 +128,6 @@ Deployer impact
135* The ``firewall.firewall_update_period`` configuration option shall be 128* The ``firewall.firewall_update_period`` configuration option shall be
136 *deprecated and ignored*. 129 *deprecated and ignored*.
137 130
138* The inspector ``node_status_keep_time`` shall be *deprecated and ignored*,
139 implying caching a node inspection status for the lifetime of the node.
140
141* Deployer might consider custom drivers fitting their needs. 131* Deployer might consider custom drivers fitting their needs.
142 132
143* A "standard" **grenade** testing with the firewall-based driver will be 133* A "standard" **grenade** testing with the firewall-based driver will be
@@ -147,13 +137,32 @@ Developer impact
147---------------- 137----------------
148 138
149Developers of custom PXE filter drivers should adhere to the proposed driver 139Developers of custom PXE filter drivers should adhere to the proposed driver
150interface. Any High-availability considerations should be addressed by the 140interface. Any specific High-availability considerations should be addressed by
151drivers internally. The `stevedore`_ library will be used to implement the 141the drivers internally. The `stevedore`_ library will be used to implement the
152driver loading mechanism. 142driver loading mechanism.
153 143
154Implementation 144Implementation
155============== 145==============
156 146
147To illustrate what a driver implementation may look like we list what
148information will a particular driver have to deal with internally, comparing
149possible ``sync`` method implementations of the drivers.
150
151.. table:: Features
152
153 +---------------+----------------------------+----------------------------+----------------------------+
154 | Driver | Whitelist | Blacklist | Discovery support |
155 +===============+============================+============================+============================+
156 | neutron | Update the PXE port with | Clear the inspection | N/A (a separate VLAN) |
157 | | the inspection network ID | network ID on the PXE port | |
158 +---------------+----------------------------+----------------------------+----------------------------+
159 | dnsmasq | Allow a lease for a MAC | Deny a lease for a MAC | Grant leases by default |
160 | | address explicitly | address explicitly | |
161 +---------------+----------------------------+----------------------------+----------------------------+
162 | iptables | Subtract the MAC addresses | Deny access for the MAC | Accept DHCP traffic by |
163 | | from the blacklist | addresses | default |
164 +---------------+----------------------------+----------------------------+----------------------------+
165
157Assignee(s) 166Assignee(s)
158----------- 167-----------
159 168
@@ -165,14 +174,11 @@ Work Items
165 174
166* introduce the abstract driver interface 175* introduce the abstract driver interface
167* refactoring current firewall-based filter 176* refactoring current firewall-based filter
168* deprecate the the ``node_status_keep_time`` configuration option and make the
169 status records last for the node lifetime
170 177
171Dependencies 178Dependencies
172============ 179============
173 180
174The `stevedore`_ library will be used to implement the driver loading 181None
175mechanism.
176 182
177Testing 183Testing
178======= 184=======