Merge stable/2024.1 into stackhpc/2024.1
#88
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is not a valid check to import the hwm without it being loaded into IPA first, as objects such as the configuration object won't be loaded yet. Change-Id: Icf20e71e8061bb886885c1b2e29bd13ccac37ade (cherry picked from commit ba5c1bf)
This is a backport of two changes merged together to facilitate
backporting:
The first is a refactor of disk utilities:
Import disk_{utils,partitioner} from ironic-lib
With the iscsi deploy long gone, these modules are only used in IPA and
in fact represent a large part of its critical logic. Having them
separately sometimes makes fixing issues tricky if an interface of
a function needs changing.
This change imports the code mostly as it is, just removing run_as_root and
a deprecated function, as well as moving configuration options to config.py.
Also migrates one relevant function from ironic_lib.utils.
The second is the fix for the security issue:
Inspect non-raw images for safety
When IPA gets a non-raw image, it performs an on-the-fly conversion
using qemu-img convert, as well as running qemu-img frequently to get
basic information about the image before validating it.
Now, we ensure that before any qemu-img calls are made, that we have
inspected the image for safety and pass through the detected format.
If given a disk_format=raw image and image streaming is enabled
(default), we retain the existing behavior of not inspecting it in
any way and streaming it bit-perfect to the device. In this case, we
never use qemu-based tools on the image at all.
If given a disk_format=raw image and image streaming is disabled, this
change fixes a bug where the image may have been converted if it was not
actually raw in the first place. We now stream these bit-perfect to the
device.
Adds two config options:
- [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in
order to disable all security features. Do not do this.
- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types
IPA should accept.
Both of these configuration options are wired up to be set by the lookup
data returned by Ironic at lookup time.
This uses a image format inspection module imported from Nova; this
inspector will eventually live in oslo.utils, at which point we'll
migrate our usage of the inspector to it.
Closes-Bug: #2071740
Co-Authored-By: Dmitry Tantsur <[email protected]>
Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7
Change-Id: I6af5e6d2c4781c24345d456cec4d77c364ae2da5 (cherry picked from commit d7b2dcf)
This causees a linting failure, and the equivalent of this rule was removed later in I64909aa932635b729cc85717dc241ae31798b558 Change-Id: Id8e1a0901090f062ff36101f07acafe01a98a67b
I have a case where a user provided the checksum URL with SHA256 checksums, while Metal3 defaulted os_hash_algo to "md5". We're going to change the Metal3 defaults in the next API version, but for now let us issue a clear warning in such case. Closes-Bug: #2085331 Change-Id: Ie4e62a378dc4a2089944f4302df3a8671b7c960f (cherry picked from commit d8d32d9) (cherry picked from commit aa01777)
Use just md<index> as the default volume name if a volume name is not defined. The original change (https://review.opendev.org/c/openstack/ironic-python-agent/+/853182) introduced an error: mdadm: Value "/dev/md0" cannot be set as name. Reason: Not POSIX compatible.\n This change fixes it. Closes-Bug: #2073406 Change-Id: Ic8bd473801fcb92fc814f6ad4e1d6dc316783bf3 (cherry picked from commit 6dceb33) (cherry picked from commit 2ece938)
Prevents the UnboundLocalError in erase_devices_express clean step. Closes-Bug: #2095499 Change-Id: I01ce5005a62638ff960d2a75f225f882b2d56973 (cherry picked from commit 018a5f6)
Using prlimits is incompatible with passing arguments as a list:
oslo.concurrency ends up executing something like:
/opt/ironic-python-agent/bin/python3 -m oslo_concurrency.prlimit \
--as=2147483648 -- ['env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', \
'/tmp/cirros-0.6.2-x86_64-disk.img', '--output=json']
Which obviously fails. I don't understand how our CI has worked so far,
but the Metal3 BMO suite fails on this.
Change-Id: I46dbcb0f73bcbe09bb89b5c7195259570412698e
(cherry picked from commit fd8032b)
jovial
approved these changes
May 30, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.