Lockout configdrive reads on network boots

We discovered it was possible, when the agent was network booted, due to the model of "don't break existing users" coding, that it was possible for the script to consider a standing config drive as valid. This could result in configuration getting loaded from the configuration drive which is a security issue, but only for the networking portion of the configuration due to the use of glean instead of cloud-init. We since reverted out the default to have simple-init enabled, and this change fixes the load logic so we prevent these possible cases considering that ironic deployments using virtual media should now all be on code bases with the publisher ID value set. Change-Id: If2a63fd16d8ae8e71b61b39f7c0c87ff45a81cf0 Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
2025-12-16 10:34:11 -08:00
parent edccbb791f
commit 1c281d8445
3 changed files with 30 additions and 0 deletions
--- a/dib/ironic-python-agent-ramdisk/static/etc/systemd/system/ironic-agent-resolve-config-drive.service
+++ b/dib/ironic-python-agent-ramdisk/static/etc/systemd/system/ironic-agent-resolve-config-drive.service
@@ -13,3 +13,6 @@ RemainAfterExit=yes

 [Install]
 WantedBy=multi-user.target
+RequiredBy=glean.service
+RequiredBy=glean-networkd.service
+RequiredBy=glean-nm.service
--- a/dib/ironic-python-agent-ramdisk/static/usr/local/bin/ironic-python-agent-resolve-configdrive.sh
+++ b/dib/ironic-python-agent-ramdisk/static/usr/local/bin/ironic-python-agent-resolve-configdrive.sh
@@ -9,6 +9,10 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin

 # Inspired by/based on glean-early.sh
 # https://opendev.org/opendev/glean/src/branch/master/glean/init/glean-early.sh
+#
+# What this script does, given we have disabled glean-early from executing,
+# it mounts the configuration drive contents *if* appropriate. Otherwise
+# everything falls into the default dhcp/address discovery path.

 # Identify if we have an a publisher id set
 publisher_id=""
@@ -16,6 +20,17 @@ if grep -q "ir_pub_id" /proc/cmdline; then
    publisher_id=$(cat /proc/cmdline | sed -e 's/^.*ir_pub_id=//' -e 's/ .*$//')
 fi

+if grep -q "BOOTIF" /proc/cmdline; then
+    # This is clearly a network boot or agent boot operation, which means
+    # we should double check if we have a publisher_id from Ironic.
+    if [[ "${publisher_id,,}" == "" ]]; then
+        # No publisher ID is present on the command line, Stop here.
+        # No need to proceed.
+        echo "Non-vmedia based deploy detected - skipping configuration."
+        exit 1
+    fi
+fi
+
 # NOTE(TheJulia): We care about iso images, and would expect lower case as a
 # result. In the case of VFAT partitions, they would be upper case.
 CONFIG_DRIVE_LABEL="config-2"
@@ -42,3 +57,4 @@ done
 # No device found
 echo "No valid configuration drive found for Ironic."
 lsblk -o PATH,LABEL
+exit 1
--- a/releasenotes/notes/fix-glean-configdrive-lockout-4afaa99a06e7a785.yaml
+++ b/releasenotes/notes/fix-glean-configdrive-lockout-4afaa99a06e7a785.yaml
@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Fixes issues which could be encountered where prior configuration drives
+    were considered valid for use by the configuration drive lockout script.
+    This was discovered shortly after ``simple-init`` was added as a default
+    element instead of an opt-in element for disk images. Because of the use
+    of glean, this only resulted in incorrect network configuration of the
+    agent in some cases for users utilizing upstream code. That support was
+    promptly reverted, and this fix developed. We anticipate the simple-init
+    element to be re-introduced at some point in the future.