Allow shred zeroize option to be configured

Introduce a new parameter in driver_internal_info called
agent_erase_devices_zeroize to control the behavior of shred. This
parameter controls the --zero argument used when invoking shred.
Configuring this to false disabled the last pass of zeroes, leaving the
device with random data.

Change-Id: I7053034f5b5bc6737b535ee601e6fb71284d4a83
Partial-bug: #1568811
Depends-On: Ia7ea8d909df9ae86a6dbd68ba94746b171535eb8

ironic_python_agent/hardware.py

@@ -619,9 +619,15 @@ class GenericHardwareManager(HardwareManager):
         """
         info = node.get('driver_internal_info', {})
         npasses = info.get('agent_erase_devices_iterations', 1)
+        args = ('shred', '--force')
+
+        if info.get('agent_erase_devices_zeroize', True):
+            args += ('--zero', )
+
+        args += ('--verbose', '--iterations', str(npasses), block_device.name)
+
         try:
-            utils.execute('shred', '--force', '--zero', '--verbose',
+            utils.execute(*args)
-                          '--iterations', str(npasses), block_device.name)
         except (processutils.ProcessExecutionError, OSError) as e:
             msg = ("Erasing block device %(dev)s failed with error %(err)s ",
                    {'dev': block_device.name, 'err': e})

ironic_python_agent/tests/unit/test_hardware.py

@@ -143,7 +143,9 @@ BLK_DEVICE_TEMPLATE_SMALL_DEVICES = [
                          vendor="FooTastic"),
 ]
 
-SHRED_OUTPUT = (
+SHRED_OUTPUT_0_ITERATIONS_ZERO_FALSE = ()
+
+SHRED_OUTPUT_1_ITERATION_ZERO_TRUE = (
     'shred: /dev/sda: pass 1/2 (random)...\n'
     'shred: /dev/sda: pass 1/2 (random)...4.9GiB/29GiB 17%\n'
     'shred: /dev/sda: pass 1/2 (random)...15GiB/29GiB 51%\n'
@@ -156,6 +158,19 @@ SHRED_OUTPUT = (
     'shred: /dev/sda: pass 2/2 (000000)...29GiB/29GiB 100%\n'
 )
 
+SHRED_OUTPUT_2_ITERATIONS_ZERO_FALSE = (
+    'shred: /dev/sda: pass 1/2 (random)...\n'
+    'shred: /dev/sda: pass 1/2 (random)...4.9GiB/29GiB 17%\n'
+    'shred: /dev/sda: pass 1/2 (random)...15GiB/29GiB 51%\n'
+    'shred: /dev/sda: pass 1/2 (random)...20GiB/29GiB 69%\n'
+    'shred: /dev/sda: pass 1/2 (random)...29GiB/29GiB 100%\n'
+    'shred: /dev/sda: pass 2/2 (random)...\n'
+    'shred: /dev/sda: pass 2/2 (random)...4.9GiB/29GiB 17%\n'
+    'shred: /dev/sda: pass 2/2 (random)...15GiB/29GiB 51%\n'
+    'shred: /dev/sda: pass 2/2 (random)...20GiB/29GiB 69%\n'
+    'shred: /dev/sda: pass 2/2 (random)...29GiB/29GiB 100%\n'
+)
+
 
 LSCPU_OUTPUT = """
 Architecture:          x86_64
@@ -659,31 +674,10 @@ class TestGenericHardwareManager(test_base.BaseTestCase):
     @mock.patch.object(utils, 'execute')
     def test_erase_block_device_nosecurity_shred(self, mocked_execute):
         hdparm_output = HDPARM_INFO_TEMPLATE.split('\nSecurity:')[0]
-        info = self.node.get('driver_internal_info')
-        info['agent_erase_devices_iterations'] = 2
 
         mocked_execute.side_effect = [
             (hdparm_output, ''),
-            (SHRED_OUTPUT, '')
+            (SHRED_OUTPUT_1_ITERATION_ZERO_TRUE, '')
-        ]
-
-        block_device = hardware.BlockDevice('/dev/sda', 'big', 1073741824,
-                                            True)
-        self.hardware.erase_block_device(self.node, block_device)
-        mocked_execute.assert_has_calls([
-            mock.call('hdparm', '-I', '/dev/sda'),
-            mock.call('shred', '--force', '--zero', '--verbose',
-                      '--iterations', '2', '/dev/sda')
-        ])
-
-    @mock.patch.object(utils, 'execute')
-    def test_erase_block_device_notsupported_shred(self, mocked_execute):
-        hdparm_output = create_hdparm_info(
-            supported=False, enabled=False, frozen=False, enhanced_erase=False)
-
-        mocked_execute.side_effect = [
-            (hdparm_output, ''),
-            (SHRED_OUTPUT, '')
         ]
 
         block_device = hardware.BlockDevice('/dev/sda', 'big', 1073741824,
@@ -695,6 +689,71 @@ class TestGenericHardwareManager(test_base.BaseTestCase):
                       '--iterations', '1', '/dev/sda')
         ])
 
+    @mock.patch.object(utils, 'execute')
+    def test_erase_block_device_notsupported_shred(self, mocked_execute):
+        hdparm_output = create_hdparm_info(
+            supported=False, enabled=False, frozen=False, enhanced_erase=False)
+
+        mocked_execute.side_effect = [
+            (hdparm_output, ''),
+            (SHRED_OUTPUT_1_ITERATION_ZERO_TRUE, '')
+        ]
+
+        block_device = hardware.BlockDevice('/dev/sda', 'big', 1073741824,
+                                            True)
+        self.hardware.erase_block_device(self.node, block_device)
+        mocked_execute.assert_has_calls([
+            mock.call('hdparm', '-I', '/dev/sda'),
+            mock.call('shred', '--force', '--zero', '--verbose',
+                      '--iterations', '1', '/dev/sda')
+        ])
+
+    @mock.patch.object(utils, 'execute')
+    def test_erase_block_device_shred_uses_internal_info(self, mocked_execute):
+        hdparm_output = create_hdparm_info(
+            supported=False, enabled=False, frozen=False, enhanced_erase=False)
+
+        info = self.node.get('driver_internal_info')
+        info['agent_erase_devices_iterations'] = 2
+        info['agent_erase_devices_zeroize'] = False
+
+        mocked_execute.side_effect = [
+            (hdparm_output, ''),
+            (SHRED_OUTPUT_2_ITERATIONS_ZERO_FALSE, '')
+        ]
+
+        block_device = hardware.BlockDevice('/dev/sda', 'big', 1073741824,
+                                            True)
+        self.hardware.erase_block_device(self.node, block_device)
+        mocked_execute.assert_has_calls([
+            mock.call('hdparm', '-I', '/dev/sda'),
+            mock.call('shred', '--force', '--verbose',
+                      '--iterations', '2', '/dev/sda')
+        ])
+
+    @mock.patch.object(utils, 'execute')
+    def test_erase_block_device_shred_0_pass_no_zeroize(self, mocked_execute):
+        hdparm_output = create_hdparm_info(
+            supported=False, enabled=False, frozen=False, enhanced_erase=False)
+
+        info = self.node.get('driver_internal_info')
+        info['agent_erase_devices_iterations'] = 0
+        info['agent_erase_devices_zeroize'] = False
+
+        mocked_execute.side_effect = [
+            (hdparm_output, ''),
+            (SHRED_OUTPUT_0_ITERATIONS_ZERO_FALSE, '')
+        ]
+
+        block_device = hardware.BlockDevice('/dev/sda', 'big', 1073741824,
+                                            True)
+        self.hardware.erase_block_device(self.node, block_device)
+        mocked_execute.assert_has_calls([
+            mock.call('hdparm', '-I', '/dev/sda'),
+            mock.call('shred', '--force', '--verbose',
+                      '--iterations', '0', '/dev/sda')
+        ])
+
     @mock.patch.object(hardware.GenericHardwareManager,
                        '_is_virtual_media_device', autospec=True)
     def test_erase_block_device_virtual_media(self, vm_mock):