Follow up PXE filter driver

This is a follow-up[1] patch updating the driver interface specification replacing the low-level filter interface with a single method sync() to avoid stale filter state if the lists are not passed through a single call. The suggestion to keep the introspection data for the lifetime of a node is removed too. Some driver implementation suggestions are added with neutron, dnsmasq and iptables in mind. [1] I7022d10fd22e6e141e59d0596402f43d2dcde056 Change-Id: I260223b364f3550391c99bdc6214a0355fe6b565
2017-04-18 18:49:40 +02:00 · 2017-04-18 18:49:40 +02:00 · 57ad6f6ddc
parent d425662f8b
commit 57ad6f6ddc
1 changed files with 31 additions and 25 deletions
--- a/specs/multiple-pxe-filtering-backends.rst
+++ b/specs/multiple-pxe-filtering-backends.rst
@ -54,15 +54,9 @@ items:
 * ``init_filter(self)`` may be synchronous; initializes internal filter state.
  This method may perform system-wide filter state changes.

-* ``whitelist_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
-  enables the DHCP requests from these nodes.
-
-* ``blacklist_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
-  disables the DHCP requests from specified nodes.
-
-* ``remove_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
-  removes nodes no longer tracked by **ironic/inspector** from both the filter
-  lists.
+* ``sync(self, ironic=None)`` called in a background thread; performs the
+  synchronization between **ironic**, **inspector** and the driver internal
+  state e.g updating ``iptables``.

 * ``tear_down_filter(self)`` may be synchronous; resets internal filter state.
  This method may perform system-wide filter state changes.
@ -70,14 +64,13 @@ items:
 This abstract interface shall reside in **inspector** tree, together with an
 ``iptables`` and a ``noop`` driver implementation.

-Any driver-specific High-Availability concerns (such as leader election) are
-out of scope of this spec and the **inspector** code base and should be
-addressed by particular drivers internally.
+In addition, a *generic* ``get_periodic_sync_task`` filter driver method shall
+be provided that particular driver implementations may consider overriding to
+e.g opt-out from the periodic synchronization.

-We also suggest to drop introspection status cache cleaning to reduce the
-synchronization between the filter and **ironic** and remove the periodic
-firewall update procedure in favor of the periodic **ironic** synchronization
-procedure.
+Any driver-specific High-Availability concerns are out of scope of this
+spec and the **inspector** code base and should be addressed by particular
+drivers internally.

 Alternatives
 ------------
@ -135,9 +128,6 @@ Deployer impact
 * The ``firewall.firewall_update_period`` configuration option shall be
  *deprecated and ignored*.

-* The inspector ``node_status_keep_time`` shall be *deprecated and ignored*,
-  implying caching a node inspection status for the lifetime of the node.
-
 * Deployer might consider custom drivers fitting their needs.

 * A "standard" **grenade** testing with the firewall-based driver will be
@ -147,13 +137,32 @@ Developer impact
 ----------------

 Developers of custom PXE filter drivers should adhere to the proposed driver
-interface. Any High-availability considerations should be addressed by the
-drivers internally. The `stevedore`_ library will be used to implement the
+interface. Any specific High-availability considerations should be addressed by
+the drivers internally. The `stevedore`_ library will be used to implement the
 driver loading mechanism.

 Implementation
 ==============

+To illustrate what a driver implementation may look like we list what
+information will a particular driver have to deal with internally, comparing
+possible ``sync`` method implementations of the drivers.
+
+.. table:: Features
+
+    +---------------+----------------------------+----------------------------+----------------------------+
+    | Driver        | Whitelist                  | Blacklist                  | Discovery support          |
+    +===============+============================+============================+============================+
+    | neutron       | Update the PXE port with   | Clear the inspection       | N/A (a separate VLAN)      |
+    |               | the inspection network ID  | network ID on the PXE port |                            |
+    +---------------+----------------------------+----------------------------+----------------------------+
+    | dnsmasq       | Allow a lease for a MAC    | Deny a lease for a MAC     | Grant leases by default    |
+    |               | address explicitly         | address explicitly         |                            |
+    +---------------+----------------------------+----------------------------+----------------------------+
+    | iptables      | Subtract the MAC addresses | Deny access for the MAC    | Accept DHCP traffic by     |
+    |               | from the blacklist         | addresses                  | default                    |
+    +---------------+----------------------------+----------------------------+----------------------------+
+
 Assignee(s)
 -----------

@ -165,14 +174,11 @@ Work Items

 * introduce the abstract driver interface
 * refactoring current firewall-based filter
-* deprecate the the ``node_status_keep_time`` configuration option and make the
-  status records last for the node lifetime

 Dependencies
 ============

-The `stevedore`_ library will be used to implement the driver loading
-mechanism.
+None

 Testing
 =======