Browse Source

Follow up PXE filter driver

This is a follow-up[1] patch updating the driver interface specification
replacing the low-level filter interface with a single method sync() to avoid
stale filter state if the lists are not passed through a single call.

The suggestion to keep the introspection data for the lifetime of a node
is removed too.

Some driver implementation suggestions are added with neutron, dnsmasq and
iptables in mind.

[1] I7022d10fd22e6e141e59d0596402f43d2dcde056

Change-Id: I260223b364f3550391c99bdc6214a0355fe6b565
changes/65/457765/4
dparalen 2 years ago
parent
commit
57ad6f6ddc
1 changed files with 31 additions and 25 deletions
  1. 31
    25
      specs/multiple-pxe-filtering-backends.rst

+ 31
- 25
specs/multiple-pxe-filtering-backends.rst View File

@@ -54,15 +54,9 @@ items:
54 54
 * ``init_filter(self)`` may be synchronous; initializes internal filter state.
55 55
   This method may perform system-wide filter state changes.
56 56
 
57
-* ``whitelist_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
58
-  enables the DHCP requests from these nodes.
59
-
60
-* ``blacklist_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
61
-  disables the DHCP requests from specified nodes.
62
-
63
-* ``remove_node_ids([<node_id>, <node_id>, ...])`` should be asynchronous;
64
-  removes nodes no longer tracked by **ironic/inspector** from both the filter
65
-  lists.
57
+* ``sync(self, ironic=None)`` called in a background thread; performs the
58
+  synchronization between **ironic**, **inspector** and the driver internal
59
+  state e.g updating ``iptables``.
66 60
 
67 61
 * ``tear_down_filter(self)`` may be synchronous; resets internal filter state.
68 62
   This method may perform system-wide filter state changes.
@@ -70,14 +64,13 @@ items:
70 64
 This abstract interface shall reside in **inspector** tree, together with an
71 65
 ``iptables`` and a ``noop`` driver implementation.
72 66
 
73
-Any driver-specific High-Availability concerns (such as leader election) are
74
-out of scope of this spec and the **inspector** code base and should be
75
-addressed by particular drivers internally.
67
+In addition, a *generic* ``get_periodic_sync_task`` filter driver method shall
68
+be provided that particular driver implementations may consider overriding to
69
+e.g opt-out from the periodic synchronization.
76 70
 
77
-We also suggest to drop introspection status cache cleaning to reduce the
78
-synchronization between the filter and **ironic** and remove the periodic
79
-firewall update procedure in favor of the periodic **ironic** synchronization
80
-procedure.
71
+Any driver-specific High-Availability concerns are out of scope of this
72
+spec and the **inspector** code base and should be addressed by particular
73
+drivers internally.
81 74
 
82 75
 Alternatives
83 76
 ------------
@@ -135,9 +128,6 @@ Deployer impact
135 128
 * The ``firewall.firewall_update_period`` configuration option shall be
136 129
   *deprecated and ignored*.
137 130
 
138
-* The inspector ``node_status_keep_time`` shall be *deprecated and ignored*,
139
-  implying caching a node inspection status for the lifetime of the node.
140
-
141 131
 * Deployer might consider custom drivers fitting their needs.
142 132
 
143 133
 * A "standard" **grenade** testing with the firewall-based driver will be
@@ -147,13 +137,32 @@ Developer impact
147 137
 ----------------
148 138
 
149 139
 Developers of custom PXE filter drivers should adhere to the proposed driver
150
-interface. Any High-availability considerations should be addressed by the
151
-drivers internally. The `stevedore`_ library will be used to implement the
140
+interface. Any specific High-availability considerations should be addressed by
141
+the drivers internally. The `stevedore`_ library will be used to implement the
152 142
 driver loading mechanism.
153 143
 
154 144
 Implementation
155 145
 ==============
156 146
 
147
+To illustrate what a driver implementation may look like we list what
148
+information will a particular driver have to deal with internally, comparing
149
+possible ``sync`` method implementations of the drivers.
150
+
151
+.. table:: Features
152
+
153
+    +---------------+----------------------------+----------------------------+----------------------------+
154
+    | Driver        | Whitelist                  | Blacklist                  | Discovery support          |
155
+    +===============+============================+============================+============================+
156
+    | neutron       | Update the PXE port with   | Clear the inspection       | N/A (a separate VLAN)      |
157
+    |               | the inspection network ID  | network ID on the PXE port |                            |
158
+    +---------------+----------------------------+----------------------------+----------------------------+
159
+    | dnsmasq       | Allow a lease for a MAC    | Deny a lease for a MAC     | Grant leases by default    |
160
+    |               | address explicitly         | address explicitly         |                            |
161
+    +---------------+----------------------------+----------------------------+----------------------------+
162
+    | iptables      | Subtract the MAC addresses | Deny access for the MAC    | Accept DHCP traffic by     |
163
+    |               | from the blacklist         | addresses                  | default                    |
164
+    +---------------+----------------------------+----------------------------+----------------------------+
165
+
157 166
 Assignee(s)
158 167
 -----------
159 168
 
@@ -165,14 +174,11 @@ Work Items
165 174
 
166 175
 * introduce the abstract driver interface
167 176
 * refactoring current firewall-based filter
168
-* deprecate the the ``node_status_keep_time`` configuration option and make the
169
-  status records last for the node lifetime
170 177
 
171 178
 Dependencies
172 179
 ============
173 180
 
174
-The `stevedore`_ library will be used to implement the driver loading
175
-mechanism.
181
+None
176 182
 
177 183
 Testing
178 184
 =======

Loading…
Cancel
Save