This is the first in a series of commits to add support for codespell. This is continuning the process completed in ironic-python-agent.
Future Commits will add a Tox Target, CI support and potentially a git-blame-ignore-revs file if their are lots of spelling mistakes that could clutter git blame.
Change-Id: Id328ff64c352e85b58181e9d9e35973a8706ab7a
This patch allows to attach or detach a generic image as
virtual media device after a node has been provisioned.
Closes-Bug: #2033288
Change-Id: I97b68047d769f6fb686c53e89084b5874e02b8c7
So, I got myself nice and confused with testing parent_node logic
when I used a name, but the ironic internals are modeled around
queries involving UUID matching.
We now identify names, and reset the values to be a UUID.
Change-Id: I46ece586c254c58b80723bc905cad3144691fc5d
A huge list of initial work for service steps
* Adds service_step verb
* Adds service_step db/object/API field on the node object for the
status.
* Increments the API version to 1.87 for both changes.
* Increments the RPC API version to 1.57.
* Adds initial testing to facilitate ensurance that supplied steps
are passed through and executed upon.
Does not:
* Have tests for starting the agent ramdisk, although this is
relatively boiler plate.
* Have a collection of pre-decorated steps available for immediate
consumption.
Change-Id: I5b9dd928f24dff7877a4ab8dc7b743058cace994
FirmwareInterface base
New Config options [default]
- enabled_firmware_interfaces
- default_firmware_interface
New FirmwareInterface base with update method
Implementations of FirmwareInterface
- FakeFirmware (fake)
- NoFirmware (no-firmware)
New entrypoint ironic.hardware.interfaces.firmware
* fake and no-firmware
Api Controllers
- Updated: driver/node/utils/versions
- Created: firmware
Unit tests
api-ref for Node Firmware
Fake and Noop implementation for FirmwareInterface
Change-Id: Ib3b9cb22099819f97d5eab1e3f1b670cb91cbb25
* Updates API version to 1.85 to permit an ``unhold`` verb
* Adds the ``deploy hold`` and ``clean hold`` provision states
to the internal state machine.
* Adds on documentation on steps to help provide greater clarity
to Ironic's users on how to utilize steps. It should be noted
this documentation also includes the power state reserved step
names from the DPU functionality patch.
* Fixes the state machine diagram. Changes type to PNG as SVG
rendering is broken due to python libraries utilized for SVG
generation which do not work on more recent Python versions.
Change-Id: I34f58f4e77e7757b89247fd64f5fcde26f679453
Allows steps to be executed on child nodes, and adds
the reserved power_on, power_off, and reboot step names.
Change-Id: I4673214d2ed066aa8b95a35513b144668ade3e2b
Adds the parent node support and tests in one change
including all DB/Model/API changes along with RBAC and
basic API tests.
* Updates the API version to 1.83
* Adds parent_node and related index to the nodes table.
* Adds new API parameters to list by parent node relationship.
Depends-On: https://review.opendev.org/c/openstack/ironic/+/883967
Change-Id: I8d64fee7105718199986db4994e13352d639f04f
* Avoid using the term "introspection". We need to settle on either
"inspection" or "introspection", and the Ironic API already uses
the former.
* Accept (and return) inventory and plugin data separately to reflect
the Ironic API (single JSON blobs are an Inspector legacy).
* Make sure to mention the container name in error logging.
* Use more readable formatting syntax for building Swift names.
* Do not mock objects with dicts (in unit tests).
* Simplify inventory API tests.
Change-Id: Id8c4bc6d35b9634f5a5ac2b345a8fd7f1dba13c0
When creating nodes, previously there was no way to set a
default conductor group to create nodes with, thus forcing
a two step process, a dedicated conductor without a conductor
group to serve reqeusts for it.
With this change, an operator can set specific conductor_group
settings by API, allowing increased delineation with reduced
risk of misconfiguration or mis-step.
Story: 2010267
Task: 46183
Change-Id: I21d58750504b2eecf3368d2e03eaca050065c3d7
SNMP driver was using the wrong dictionary key to retrieve auth_protocol
and priv_protocol from driver info. As a result, the SNMP client was
created with empty strings for both those fields. Any nodes configured
to use SNMP v3 with those fields failed because the SNMP driver was
unable to perform power related operations due to authentication error.
- Use correct keys for snmp auth_protocol and priv_protocol when
creating SNMP client
- Sanitize snmp auth_key and priv_key in API results
Story: 2010613
Task: 47535
Change-Id: I5efd3c9f79a021f1a8e613c3d13b6596a7972672
Follow-up to Ie174904420691be64ce6ca10bca3231f45a5bc58
which enables storage of inventory in Swift, but does not delete
the Swift entry when the node whose inventory is stored is deleted
Story: 2010275
Task: 46204
Change-Id: I74b19f7a42c1326d7ec04e6320176e81639ebfb4
This request parameter will allow an operator to ask the question
"Do I need to assign shards to any of my nodes?".
Change-Id: I26b745e5ef2b320a8d8a0667ac61c080fcdcd576
- Basic support and testing for CRUD for node.shard.
- Policy checking for update node.shard.
- New API endpoint: GET /v1/shards
- Policy checking for GET /v1/shards
- Support for querying for nodes in a list of shards
Story: 2010378
Task: 46624
Change-Id: I385594339028c20cfc83fdcc4cbbec107efdacff
Move functions storing and obtaining introspection data
from drivers/modules/inspector.py and api/controllers/v1/node.py
to driver/modules/inspect_utils.py
Follow-up to change If50f665da5fbb16f7646f3d6195a6e14e7325b0a
Story: 2010275
Task: 46204
Change-Id: I2b206670aff6ad3a9f9cc76236453abf42663cad
Create [inventory] to hold CONF parameters for storage of introspection data
Story: 2010275
Task: 46204
Change-Id: I06fa4f69160206dd350856e264cbb0842e34fd2a
Adds capabilites for a project scoped admin to
create and delete nodes in Ironic's API.
These nodes are automatically associated with the
project of the requestor.
Effectively, this does allow anyone with sufficient
privilges, i.e. admin, in an OpenStack deployment
to be able to create new baremetal nodes and delete
those baremetal nodes. In this case, the user has
the "owner" level of rights in the RBAC model.
Change-Id: I3fd9ce5de0bc600275b5c4b7a95b0f9405342688
When you have a multi-db deployment, or even just many
different threads operating on the same server with different
transactions, you can run into a situation where one thread
initiates a transaction to get a list of nodes, and then
another triggers a delete of the chassis (and most likely node,
but hey, there is really no way to detect that and work.)
So as the API is processing the response and making the json
result set, the query to resolve a chassis_id on a node object
can begin to fail.
Before this patch, this would raise an exception to the client.
Now, we just suppress the error, and return the field value
as None.
In the grand scheme, the node is likely has also already
been deleted as well.
Change-Id: I3594ac580c01454c70922a965a2a653a8b568cbb
Closes-Bug: 1508995
Story: 1508995
Task: 10038
Specify the schema version for network_data and node, otherwise the
latest one is used.
Also fix one test where the error messages was changed.
Change-Id: I4a614d7e73348bbe6c355a40881b013cbfe00b03
Create a new Sphinx extension called 'web_api_docstring' to process
docstrings from the API classes, in order to generate API
documentation.
Story: 2009785
Task: 44291
Change-Id: Ia6b2b3741e2b1cbd29531c21795df4f0f0dc70ca
Node history was particularly affected: limit was not converted from
string to integer, so "next" link was never added.
Add some safeguards to the generic API code.
Change-Id: I1328e2f07621bf7e39b96eb4a7ddb66c9a2b65bb
Since the default value resource_url is None, make sure the
parameter is set to 'nodes' when getting all nodes.
Change-Id: I6cc52eb56c7888a433d24aa79154143d6f35cf83
Adds API for retrieving node history events
via a node. Includes pagination and limitation
of the response set.
Story: 2002980
Tas: 42961
Change-Id: I22a92fa6c30d721f6a5dd0670b2e0a9cf76ad7b1
* add fields to Node object
* expose them at endpoint `/v1/nodes/{node_ident}/states`
* update states on powersync / entering managed state.
* tests
* update api endpoint info in api-ref
Story: 2008567
Task: 41709
Change-Id: Iddd1421a6fa37d69da56658a2fefa5bc8cfd15e4
Change https://review.opendev.org/c/openstack/ironic/+/794880
included a few minor typos and required a clarification of a point
which.
This change just makes those minor text changes.
Change-Id: I883d4ca89ba984c29b53b531af98f2f0be39edbf
The biggest amount of API overhead is the node sanitization
process, at least at this point in time.
We have streamlined the database interaction to ensure specific
field selection lists are as orderly as possible, but the
node sanitization code re-executes some methods over and over
which do not require variable data from the underlying node.
These are blanket settings "is the user allowed to see x, or y".
Which means we can call node_sanitize pre-seeding these
arguments and execute the calls once, instead of a thousand times
to have the same exact result.
Story: 2008885
Task: 42433
Change-Id: I342e7900cac388cb4749480684418a5a15ac60eb
This change modifies the nodes _get_nodes_collection method to
consider and pass in an explicit lisst of requested fields into
the node list method, while also including the required fields
for things like ownership/policy checking.
And slightly modifies node_convert_with_links method to simplify
it while enabling field validity to be checked, and specific
requisite field lists provided in based upon that value.
And also optionally builds the traits list as they are nolonger
*always* populated on all objects with fully populated objects
as only partially hydrated objects are provided back when specific
fields are requested.
Story: 2008885
Task: 42572
Change-Id: Ided419263d84184cab902944b6c518f98618c9d2
The instance_uuid handling on the detailed node information
endpoint of the api (/v1/nodes/detail?instance_uuid=<uuid>),
which is used by services such as Nova for explicit node status
lookups, previously had special conditional logic surrounding it
which skipped the inclusion of the API requestor project-id, from
being incorporated into the database query.
Ultimately, this allowed an authenticated user to obtain a partially
redacted node entry where sensitive informational fields were scrubbed
from the response payload.
With this fix, queries for an explicit instance_uuid now follow the
standard path inside the Ironic API to the database which includes
inclusion of a requestor Project-ID if required by configured policy.
Change-Id: I9bfa5a54e02c8a1e9c8cad6b9acdbad6ab62bef3
Story: 2008976
Task: 42620
An investigation of performance issues in Ironic revealed that the
policy checking was performing extra un-needed work which performed
excess computational overhead when parsing the result data.
In this specific case, the Secure RBAC work added some additional
policy checks around individual the fields.
Change-Id: I77b6e0e6c721f2ff1f8b9f511acde97fcdb21a39
Story: 2008885
Task: 42432
When the configdrive input is JSON (meta_data, etc), delay the rendering
until the ISO image is actually used. It has two benefits:
1) Avoid storing a large ISO image in instance_info,
2) Allow deploy steps to access the original user's input.
Fix configdrive masking to correctly mask dicts.
Story: #2008875
Task: #42419
Change-Id: I86d30bbb505b8c794bfa6412606f4516f8885aa9
This RFE proposes a new microversion that will provide
aliases to two poorly named provisioning verbs
to match the existing CLI commands
Story: #2007551
Task: #39402
Change-Id: Ifd14aebbfb4b17c5108f44092dac0b89d1c2c50a
I have been against it since the beginning of this work, hoping that we
can settle down on one network data format, one is more native for
Ironic because of our relation to OpenStack. This has not happened, with
e.g. CoreOS only using its own formats. So, let it be. Use with caution.
Change-Id: I872d010517cd343fcbcafadb4535f07ca15c2c95
Adds a new argument disable_ramdisk to the manual cleaning API.
Only steps that are marked with requires_ramdisk=False can be
run in this mode. Cleaning prepare/tear down is not done.
Some steps (like redfish BIOS) currently require IPA to detect
a successful reboot. They are not marked with requires_ramdisk
just yet.
Change-Id: Icacac871603bd48536188813647bc669c574de2a
Story: #2008491
Task: #41540
This patch implements the project scoped rbac policies for a
system and project scoped deployment of ironic. Because of the
nature of Ports and Portgroups, along with the subcontroller
resources, this change was a little more invasive than was
originally anticipated. In that process, along with some
discussion in the #openstack-ironic IRC channel, that it
would be most security concious to respond only with 404s if
the user simply does not have access to the underlying node
object.
In essence, their view of the universe has been restricted as
they have less acess rights, and we appropriately enforce that.
Not expecting that, or not conciously being aware of that, can
quickly lead to confusion though. Possibly a day or more of
Julia's life as well, but it comes down to perceptions and
awareness.
Change-Id: I68c5f2bae76ca313ba77285747dc6b1bc8b623b9
* Adds additional policies:
* baremetal:node_get:last_error
* baremetal:node:get:reservation
* baremetal:node:get:driver_internal_info
* baremetal:node:get:driver_info
* baremetal:node:update:driver_info
* baremetal:node:update:properties
* baremetal:node:update:chassis_uuid
* baremetal:node:update:instance_uuid
* baremetal:node:update:lessee
* baremetal:node:update:driver_interfaces
* baremetal:node:update:network_data
* baremetal:node:update:conductor_group
* baremetal:node:update:name
* With new policies, responses of filtering and posted data is
performed. Testing has been added to the RBAC testing files
to align with this and the defaults where pertinant.
* Adds another variation of the common policy check method
which may be useful in the long term. This is too soon to
tell, but the overall purpose is to allow similar logic
patterns to the authorize behavior. This is because the
standard policies are, at present, also used to control
behavior of response, and node response sanitization needs
to be carefully navigated.
This change excludes linked resources such as /nodes/<uuid>/ports,
portgroups, volumes/[targets|connectors]. Those will be in later
changes, as the node itself is quite a bit.
Special note:
* The indicator endpoint code in the API appears to be broken
and given that should be fixed in a separate patch.
Change-Id: I2869bf21f761cfc543798cf1f7d97c5500cd3681
The check_policy function exists in api utils, along with other more
complex policy utility functions. This change replaces direct calls to
authorize with calls to check_policy.
Having authorize calls consolidated in api utils may help with the
upcoming secure-rbac work.
Change-Id: If4779b08b9f360f4c2f4675c605aa519f6ea4778
As a follow-up to the review feedback in[1], type specific fields
arguments are removed and the type is inferred from the versioned
object fields.
Story: 1651346
Task: 10551
[1] https://review.opendev.org/751160
Change-Id: I89a65214ab7d550d0b4a327dd033c27399ae13bf
Sharpz7