From d9f59d94f2ad7e4e141b582ee4c4a40511d8340f Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Wed, 13 Jun 2018 12:20:22 -0700 Subject: [PATCH] Provide knob to disable ata secure erase We need to allow the operator to able to explicitly disable secure erase, in case it is problematic in their environment or hardware. Change-Id: I4c68efa65cdd7f88f54f8dd9a8bcbeee9e8124a8 Story: #2002546 Task: #22108 --- ironic_python_agent/hardware.py | 7 ++++--- ironic_python_agent/tests/unit/test_hardware.py | 16 ++++++++++++++++ ...to-disable-secure-erase-c3223262726d5aff.yaml | 6 ++++++ 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/ability-to-disable-secure-erase-c3223262726d5aff.yaml diff --git a/ironic_python_agent/hardware.py b/ironic_python_agent/hardware.py index 55753740d..0da5978fa 100644 --- a/ironic_python_agent/hardware.py +++ b/ironic_python_agent/hardware.py @@ -771,14 +771,15 @@ class GenericHardwareManager(HardwareManager): LOG.info("Skipping the erase of virtual media device %s", block_device.name) return - + info = node.get('driver_internal_info', {}) # Note(TheJulia) Use try/except to capture and log the failure # and then revert to attempting to shred the volume if enabled. try: - if self._ata_erase(block_device): + execute_secure_erase = info.get( + 'agent_enable_ata_secure_erase', True) + if execute_secure_erase and self._ata_erase(block_device): return except errors.BlockDeviceEraseError as e: - info = node.get('driver_internal_info', {}) execute_shred = info.get( 'agent_continue_if_ata_erase_failed', False) if execute_shred: diff --git a/ironic_python_agent/tests/unit/test_hardware.py b/ironic_python_agent/tests/unit/test_hardware.py index 2f0a8354a..4270813b5 100644 --- a/ironic_python_agent/tests/unit/test_hardware.py +++ b/ironic_python_agent/tests/unit/test_hardware.py @@ -1673,6 +1673,22 @@ class TestGenericHardwareManager(base.IronicAgentTest): self.hardware.erase_block_device(self.node, block_device) self.assertTrue(mock_shred.called) + @mock.patch.object(hardware.GenericHardwareManager, '_shred_block_device', + autospec=True) + @mock.patch.object(utils, 'execute', autospec=True) + def test_erase_block_device_ata_erase_disabled( + self, mocked_execute, mock_shred): + + info = self.node['driver_internal_info'] + info['agent_enable_ata_secure_erase'] = False + + block_device = hardware.BlockDevice('/dev/sda', 'big', 1073741824, + True) + + self.hardware.erase_block_device(self.node, block_device) + self.assertTrue(mock_shred.called) + self.assertFalse(mocked_execute.called) + def test_normal_vs_enhanced_security_erase(self): @mock.patch.object(utils, 'execute', autospec=True) def test_security_erase_option(test_case, diff --git a/releasenotes/notes/ability-to-disable-secure-erase-c3223262726d5aff.yaml b/releasenotes/notes/ability-to-disable-secure-erase-c3223262726d5aff.yaml new file mode 100644 index 000000000..7377b1467 --- /dev/null +++ b/releasenotes/notes/ability-to-disable-secure-erase-c3223262726d5aff.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds the ability for the Bare Metal service conductor + service to explicitly choose to disable ATA Secure Erase + from being executed.