Merge "Lockout configdrive reads on network boots"

2025-12-22 12:17:45 +00:00
parent a090c0445f 1c281d8445
commit 40b946c1c1
3 changed files with 30 additions and 0 deletions
--- a/dib/ironic-python-agent-ramdisk/static/etc/systemd/system/ironic-agent-resolve-config-drive.service
+++ b/dib/ironic-python-agent-ramdisk/static/etc/systemd/system/ironic-agent-resolve-config-drive.service
@@ -13,3 +13,6 @@ RemainAfterExit=yes

 [Install]
 WantedBy=multi-user.target
+RequiredBy=glean.service
+RequiredBy=glean-networkd.service
+RequiredBy=glean-nm.service
--- a/dib/ironic-python-agent-ramdisk/static/usr/local/bin/ironic-python-agent-resolve-configdrive.sh
+++ b/dib/ironic-python-agent-ramdisk/static/usr/local/bin/ironic-python-agent-resolve-configdrive.sh
@@ -9,6 +9,10 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin

 # Inspired by/based on glean-early.sh
 # https://opendev.org/opendev/glean/src/branch/master/glean/init/glean-early.sh
+#
+# What this script does, given we have disabled glean-early from executing,
+# it mounts the configuration drive contents *if* appropriate. Otherwise
+# everything falls into the default dhcp/address discovery path.

 # Identify if we have an a publisher id set
 publisher_id=""
@@ -16,6 +20,17 @@ if grep -q "ir_pub_id" /proc/cmdline; then
    publisher_id=$(cat /proc/cmdline | sed -e 's/^.*ir_pub_id=//' -e 's/ .*$//')
 fi

+if grep -q "BOOTIF" /proc/cmdline; then
+    # This is clearly a network boot or agent boot operation, which means
+    # we should double check if we have a publisher_id from Ironic.
+    if [[ "${publisher_id,,}" == "" ]]; then
+        # No publisher ID is present on the command line, Stop here.
+        # No need to proceed.
+        echo "Non-vmedia based deploy detected - skipping configuration."
+        exit 1
+    fi
+fi
+
 # NOTE(TheJulia): We care about iso images, and would expect lower case as a
 # result. In the case of VFAT partitions, they would be upper case.
 CONFIG_DRIVE_LABEL="config-2"
@@ -42,3 +57,4 @@ done
 # No device found
 echo "No valid configuration drive found for Ironic."
 lsblk -o PATH,LABEL
+exit 1
--- a/releasenotes/notes/fix-glean-configdrive-lockout-4afaa99a06e7a785.yaml
+++ b/releasenotes/notes/fix-glean-configdrive-lockout-4afaa99a06e7a785.yaml
@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Fixes issues which could be encountered where prior configuration drives
+    were considered valid for use by the configuration drive lockout script.
+    This was discovered shortly after ``simple-init`` was added as a default
+    element instead of an opt-in element for disk images. Because of the use
+    of glean, this only resulted in incorrect network configuration of the
+    agent in some cases for users utilizing upstream code. That support was
+    promptly reverted, and this fix developed. We anticipate the simple-init
+    element to be re-introduced at some point in the future.