ironic-python-agent/ironic_python_agent/extensions/standby.py
Jay Faulkner be8ee50ea1 Inspect non-raw images for safety
When IPA gets a non-raw image, it performs an on-the-fly conversion
using qemu-img convert, as well as running qemu-img frequently to get
basic information about the image before validating it.

Now, we ensure that before any qemu-img calls are made, that we have
inspected the image for safety and pass through the detected format.

If given a disk_format=raw image and image streaming is enabled
(default), we retain the existing behavior of not inspecting it in
any way and streaming it bit-perfect to the device. In this case, we
never use qemu-based tools on the image at all.

If given a disk_format=raw image and image streaming is disabled, this
change fixes a bug where the image may have been converted if it was not
actually raw in the first place. We now stream these bit-perfect to the
device.

Adds two config options:
- [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in
  order to disable all security features. Do not do this.
- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types
  IPA should accept.

Both of these configuration options are wired up to be set by the lookup
data returned by Ironic at lookup time.

This uses a image format inspection module imported from Nova; this
inspector will eventually live in oslo.utils, at which point we'll
migrate our usage of the inspector to it.

Closes-Bug: #2071740
Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7
2024-09-04 09:21:59 -07:00

1107 lines
48 KiB
Python

# Copyright 2013 Rackspace, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import hashlib
import os
import re
import tempfile
import time
from urllib import parse as urlparse
from ironic_lib import exception
from oslo_concurrency import processutils
from oslo_config import cfg
from oslo_log import log
from oslo_utils import units
import requests
from ironic_python_agent import disk_utils
from ironic_python_agent import errors
from ironic_python_agent.extensions import base
from ironic_python_agent import hardware
from ironic_python_agent import partition_utils
from ironic_python_agent import qemu_img
from ironic_python_agent import utils
CONF = cfg.CONF
LOG = log.getLogger(__name__)
IMAGE_CHUNK_SIZE = 1024 * 1024 # 1MB
def _image_location(image_info):
"""Get the location of the image in the local file system.
:param image_info: Image information dictionary.
:returns: The full, absolute path to the image as a string.
"""
return os.path.join(tempfile.gettempdir(), image_info['id'])
def _verify_basic_auth_creds(user, password, image_id):
"""Verify the basic auth credentials used for image download are present.
:param user: Basic auth username
:param password: Basic auth password
:param image_id: id of the image that is being acted upon
:raises ImageDownloadError if the credentials are not present
"""
expected_creds = {'user': user, 'password': password}
missing_creds = []
for key, value in expected_creds.items():
if not value:
missing_creds.append(key)
if missing_creds:
raise errors.ImageDownloadError(
image_id,
"Missing {} fields from HTTP(S) "
"basic auth config".format(missing_creds)
)
def _gen_auth_from_image_info_user_pass(image_info, image_id):
"""This function is used to pass the credentials to the chosen
credential verifier and in case the verification is successful
generate the compatible authentication object that will be used
with the request(s). This function handles the authentication object
generation for authentication strategies that are username+password
based. Credentials are collected via image_info.
:param image_info: Image information dictionary.
:param image_id: id of the image that is being acted upon
:return: Authentication object used directly by the request library
:rtype: requests.auth.HTTPBasicAuth
"""
image_server_user = None
image_server_password = None
if image_info.get('image_server_auth_strategy') == 'http_basic':
image_server_user = image_info.get('image_server_user')
image_server_password = image_info.get('image_server_password')
_verify_basic_auth_creds(
image_server_user,
image_server_password,
image_id
)
else:
return None
return requests.auth.HTTPBasicAuth(image_server_user,
image_server_password)
def _gen_auth_from_oslo_conf_user_pass(image_id):
"""This function is used to pass the credentials to the chosen
credential verifier and in case the verification is successful
generate the compatible authentication object that will be used
with the request(s). This function handles the authentication object
generation for authentication strategies that are username+password
based. Credentials are collected from the oslo.config framework.
:param image_id: id of the image that is being acted upon
:return: Authentication object used directly by the request library
:rtype: requests.auth.HTTPBasicAuth
"""
image_server_user = None
image_server_password = None
if CONF.image_server_auth_strategy == 'http_basic':
_verify_basic_auth_creds(
CONF.image_server_user,
CONF.image_server_password,
image_id)
image_server_user = CONF.image_server_user
image_server_password = CONF.image_server_password
else:
return None
return requests.auth.HTTPBasicAuth(image_server_user,
image_server_password)
def _download_with_proxy(image_info, url, image_id):
"""Opens a download stream for the given URL.
:param image_info: Image information dictionary.
:param url: The URL string to request the image from.
:param image_id: Image ID or URL for logging.
:raises: ImageDownloadError if the download stream was not started
properly.
:return: HTTP(s) server response for the image/hash download request
:rtype: requests.Response
"""
no_proxy = image_info.get('no_proxy')
if no_proxy:
os.environ['no_proxy'] = no_proxy
proxies = image_info.get('proxies', {})
verify, cert = utils.get_ssl_client_options(CONF)
resp = None
image_download_attributes = {
"stream": True,
"proxies": proxies,
"verify": verify,
"cert": cert,
"timeout": CONF.image_download_connection_timeout
}
# NOTE(Adam) `image_info` is prioritized over `oslo.conf` for credential
# collection and auth strategy selection
auth_object = _gen_auth_from_image_info_user_pass(image_info, image_id)
if auth_object is None:
auth_object = _gen_auth_from_oslo_conf_user_pass(image_id)
if auth_object is not None:
image_download_attributes['auth'] = auth_object
for attempt in range(CONF.image_download_connection_retries + 1):
try:
# NOTE(TheJulia) The get request below does the following:
# * Performs dns lookups, if necessary
# * Opens the TCP socket to the remote host
# * Negotiates TLS, if applicable
# * Checks cert validity, if necessary, which may be
# more tcp socket connections.
# * Issues the get request and then returns back to the caller the
# handler which is used to stream the data into the agent.
# While this all may be at risk of transitory interrupts, most of
# these socket will have timeouts applied to them, although not
# exactly just as the timeout value exists. The risk in transitory
# failure is more so once we've started the download and we are
# processing the incoming data.
# B113 issue is covered is the image_download_attributs list
resp = requests.get(url, **image_download_attributes) # nosec
if resp.status_code != 200:
msg = ('Received status code {} from {}, expected 200. '
'Response body: {} Response headers: {}').format(
resp.status_code, url, resp.text, resp.headers)
raise errors.ImageDownloadError(image_id, msg)
except (errors.ImageDownloadError, requests.RequestException) as e:
if (attempt == CONF.image_download_connection_retries
# NOTE(dtantsur): do not retry 4xx status codes
or (resp and resp.status_code < 500)):
raise
else:
LOG.warning('Unable to connect to %s, retrying. Error: %s',
url, e)
time.sleep(CONF.image_download_connection_retry_interval)
else:
break
return resp
def _is_checksum_url(checksum):
"""Identify if checksum is not a url"""
if (checksum.startswith('http://') or checksum.startswith('https://')):
return True
else:
return False
MD5_MATCH = r"^([a-fA-F\d]{32})\s" # MD5 at beginning of line
MD5_MATCH_END = r"\s([a-fA-F\d]{32})$" # MD5 at end of line
MD5_MATCH_ONLY = r"^([a-fA-F\d]{32})$" # MD5 only
SHA256_MATCH = r"^([a-fA-F\d]{64})\s" # SHA256 at beginning of line
SHA256_MATCH_END = r"\s([a-fA-F\d]{64})$" # SHA256 at end of line
SHA256_MATCH_ONLY = r"^([a-fA-F\d]{64})$" # SHA256 only
SHA512_MATCH = r"^([a-fA-F\d]{128})\s" # SHA512 at beginning of line
SHA512_MATCH_END = r"\s([a-fA-F\d]{128})$" # SHA512 at end of line
SHA512_MATCH_ONLY = r"^([a-fA-F\d]{128})$" # SHA512 only
FILENAME_MATCH_END = r"\s[*]?{filename}$" # Filename binary/text end of line
FILENAME_MATCH_PARENTHESES = r"\s\({filename}\)\s" # CentOS images
CHECKSUM_MATCHERS = (MD5_MATCH, MD5_MATCH_END, SHA256_MATCH, SHA256_MATCH_END,
SHA512_MATCH, SHA512_MATCH_END)
CHECKSUM_ONLY_MATCHERS = (MD5_MATCH_ONLY, SHA256_MATCH_ONLY, SHA512_MATCH_ONLY)
FILENAME_MATCHERS = (FILENAME_MATCH_END, FILENAME_MATCH_PARENTHESES)
def _fetch_checksum(checksum, image_info):
"""Fetch checksum from remote location, if needed."""
if not _is_checksum_url(checksum):
# Not a remote checksum, return as it is.
return checksum
LOG.debug('Downloading checksums file from %s', checksum)
resp = _download_with_proxy(image_info, checksum, checksum).text
lines = [line.strip() for line in resp.split('\n') if line.strip()]
if not lines:
raise errors.ImageDownloadError(checksum, "Empty checksum file")
elif len(lines) == 1:
# Special case - checksums file with only the checksum itself
if ' ' not in lines[0]:
for matcher in CHECKSUM_ONLY_MATCHERS:
checksum = re.findall(matcher, lines[0])
if checksum:
return checksum[0]
raise errors.ImageDownloadError(
checksum, ("Invalid checksum file (No valid checksum found) %s"
% lines))
# FIXME(dtantsur): can we assume the same name for all images?
expected_fname = os.path.basename(urlparse.urlparse(
image_info['urls'][0]).path)
for line in lines:
# Ignore comment lines
if line.startswith("#"):
continue
# Ignore checksums for other files
for matcher in FILENAME_MATCHERS:
if re.findall(matcher.format(filename=expected_fname), line):
break
else:
continue
for matcher in CHECKSUM_MATCHERS:
checksum = re.findall(matcher, line)
if checksum:
return checksum[0]
raise errors.ImageDownloadError(
checksum, "Checksum file does not contain name %s" % expected_fname)
def _write_partition_image(image, image_info, device, configdrive=None,
source_format=None, is_raw=False, size=0):
"""Call disk_util to create partition and write the partition image.
:param image: Local path to image file to be written to the partition.
If ``None``, the image is not populated.
:param image_info: Image information dictionary.
:param device: The device name, as a string, on which to store the image.
Example: '/dev/sda'
:param configdrive: A string containing the location of the config
drive as a URL OR the contents (as gzip/base64)
of the configdrive. Optional, defaults to None.
:param source_format: The actual format of the partition image.
Must be provided if deep image inspection is enabled.
:param is_raw: Ironic indicates the image is raw; do not convert it
:param size: Virtual size, in MB, of provided image.
:raises: InvalidCommandParamsError if the partition is too small for the
provided image.
:raises: ImageWriteError if writing the image to disk encounters any error.
"""
# Retrieve the cached node as it has the latest information
# and allows us to also sanity check the deployment so we don't end
# up writing MBR when we're in UEFI mode.
cached_node = hardware.get_cached_node()
node_uuid = image_info.get('node_uuid')
preserve_ep = image_info['preserve_ephemeral']
boot_mode = utils.get_node_boot_mode(cached_node)
disk_label = utils.get_partition_table_type_from_specs(cached_node)
root_mb = image_info['root_mb']
cpu_arch = hardware.dispatch_to_managers('get_cpus').architecture
if image is not None:
if size > int(root_mb):
msg = ('Root partition is too small for requested image. Image '
'virtual size: {} MB, Root size: {} MB').format(size,
root_mb)
raise errors.InvalidCommandParamsError(msg)
try:
return partition_utils.work_on_disk(device, root_mb,
image_info['swap_mb'],
image_info['ephemeral_mb'],
image_info['ephemeral_format'],
image, node_uuid,
preserve_ephemeral=preserve_ep,
configdrive=configdrive,
boot_mode=boot_mode,
disk_label=disk_label,
cpu_arch=cpu_arch,
source_format=source_format,
is_raw=is_raw)
except processutils.ProcessExecutionError as e:
raise errors.ImageWriteError(device, e.exit_code, e.stdout, e.stderr)
def _write_whole_disk_image(image, image_info, device, source_format=None,
is_raw=False):
"""Writes a whole disk image to the specified device.
:param image: Local path to image file to be written to the disk.
:param image_info: Image information dictionary.
This parameter is currently unused by the function.
:param device: The device name, as a string, on which to store the image.
Example: '/dev/sda'
:param source_format: The format of the whole disk image to be written.
:param is_raw: Ironic indicates the image is raw; do not convert it
:raises: ImageWriteError if the command to write the image encounters an
error.
:raises: InvalidImage if asked to write an image without a format when
not permitted
"""
# FIXME(dtantsur): pass the real node UUID for logging
disk_utils.destroy_disk_metadata(device, '')
disk_utils.udev_settle()
try:
if is_raw:
# TODO(JayF): We should unify all these dd/convert_image calls
# into disk_utils.populate_image().
# NOTE(JayF): Since we do not safety check raw images, we must use
# dd to write them to ensure maximum security. This may cause
# failures in situations where images are configured as raw but
# are actually in need of conversion. Those cases can no longer
# be transparently handled safely.
LOG.info('Writing raw image %s to device %s', image, device)
disk_utils.dd(image, device)
else:
command = ['qemu-img', 'convert',
'-t', 'directsync', '-S', '0', '-O', 'host_device',
'-W']
if source_format:
command += ['-f', source_format]
command += [image, device]
LOG.info('Writing image with command: %s', ' '.join(command))
qemu_img.convert_image(image, device, out_format='host_device',
cache='directsync', out_of_order=True,
sparse_size='0',
source_format=source_format)
except processutils.ProcessExecutionError as e:
raise errors.ImageWriteError(device, e.exit_code, e.stdout, e.stderr)
disk_utils.trigger_device_rescan(device)
def _write_image(image_info, device, configdrive=None):
"""Writes an image to the specified device.
:param image_info: Image information dictionary.
:param device: The disk name, as a string, on which to store the image.
Example: '/dev/sda'
:param configdrive: A string containing the location of the config
drive as a URL OR the contents (as gzip/base64)
of the configdrive. Optional, defaults to None.
:raises: ImageWriteError if the command to write the image encounters an
error.
:raises: InvalidImage if the image does not pass security inspection
"""
starttime = time.time()
image = _image_location(image_info)
ironic_disk_format = image_info.get('disk_format')
is_raw = ironic_disk_format == 'raw'
# NOTE(JayF): The below method call performs a required security check
# and must remain in place. See bug #2071740
source_format, size = disk_utils.get_and_validate_image_format(
image, ironic_disk_format)
size_mb = int((size + units.Mi - 1) / units.Mi)
uuids = {}
if image_info.get('image_type') == 'partition':
uuids = _write_partition_image(image, image_info, device,
configdrive,
source_format=source_format,
is_raw=is_raw, size=size_mb)
else:
_write_whole_disk_image(image, image_info, device,
source_format=source_format,
is_raw=is_raw)
totaltime = time.time() - starttime
LOG.info('Image %(image)s written to device %(device)s in %(totaltime)s '
'seconds', {'image': image, 'device': device,
'totaltime': totaltime})
try:
disk_utils.fix_gpt_partition(device, node_uuid=None)
except exception.InstanceDeployFailure:
# Note: the catch internal to the helper method logs any errors.
pass
return uuids
def _message_format(msg, image_info, device, partition_uuids):
"""Helper method to get and populate different messages."""
message = None
result_msg = msg
root_uuid = partition_uuids.get('root uuid')
efi_system_partition_uuid = (
partition_uuids.get('efi system partition uuid'))
if (image_info.get('deploy_boot_mode') == 'uefi'
and efi_system_partition_uuid):
result_msg = msg + 'root_uuid={} efi_system_partition_uuid={}'
message = result_msg.format(image_info['id'], device,
root_uuid,
efi_system_partition_uuid)
else:
result_msg = msg + 'root_uuid={}'
message = result_msg.format(image_info['id'], device, root_uuid)
return message
def _get_algorithm_by_length(checksum):
"""Determine the SHA-2 algorithm by checksum length.
:param checksum: The requested checksum.
:returns: A hashlib object based upon the checksum
or ValueError if the algorithm could not be
identified.
"""
# NOTE(TheJulia): This is all based on SHA-2 lengths.
# SHA-3 would require a hint, thus ValueError because
# it may not be a fixed length. That said, SHA-2 is not
# as of this not being added, being withdrawn standards wise.
checksum_len = len(checksum)
if checksum_len == 128:
# Sha512 is 512 bits, or 128 characters
return hashlib.new('sha512')
elif checksum_len == 64:
# SHA256 is 256 bits, or 64 characters
return hashlib.new('sha256')
elif checksum_len == 32:
check_md5_enabled()
# This is not super great, but opt-in only.
return hashlib.new('md5') # nosec
else:
# Previously, we would have just assumed the value was
# md5 by default. This way we are a little smarter and
# gracefully handle things better when md5 is explicitly
# disabled.
raise ValueError('Unable to identify checksum algorithm '
'used, and a value is not specified in '
'the os_hash_algo setting.')
def check_md5_enabled():
"""Checks if md5 is permitted, otherwise raises ValueError."""
if not CONF.md5_enabled:
raise ValueError('MD5 support is disabled, and support '
'will be removed in a 2024 version of '
'Ironic.')
class ImageDownload(object):
"""Helper class that opens a HTTP connection to download an image.
This class opens a HTTP connection to download an image from a URL
and create an iterator so the image can be downloaded in chunks. The
MD5 hash of the image being downloaded is calculated on-the-fly.
"""
def __init__(self, image_info, time_obj=None):
"""Initialize an instance of the ImageDownload class.
Tries each URL in image_info successively until a URL returns a
successful request code. Once the object is initialized, the user may
retrieve chunks of the image through the standard python iterator
interface until either the image is fully downloaded, or an error is
encountered.
:param image_info: Image information dictionary.
:param time_obj: Optional time object to indicate when the image
download began. Defaults to None. If None, then
time.time() will be used to find the start time of
the download.
:raises: ImageDownloadError if starting the image download fails for
any reason.
"""
self._time = time_obj or time.time()
self._image_info = image_info
self._request = None
self._bytes_transferred = 0
self._expected_size = None
checksum = image_info.get('checksum')
retrieved_checksum = False
# Determine the hash algorithm and value will be used for calculation
# and verification, fallback to md5 if algorithm is not set or not
# supported.
algo = image_info.get('os_hash_algo')
if algo and algo in hashlib.algorithms_available:
self._hash_algo = hashlib.new(algo)
self._expected_hash_value = image_info.get('os_hash_value')
elif checksum and _is_checksum_url(checksum):
# Treat checksum urls as first class request citizens, else
# fallback to legacy handling.
self._expected_hash_value = _fetch_checksum(
checksum,
image_info)
retrieved_checksum = True
if not algo:
# Override algorithm not supplied as os_hash_algo
self._hash_algo = _get_algorithm_by_length(
self._expected_hash_value)
elif checksum:
# Fallback to md5 path.
try:
new_algo = _get_algorithm_by_length(checksum)
if not new_algo:
# Realistically, this should never happen, but for
# compatibility...
# TODO(TheJulia): Remove for a 2024 release.
self._hash_algo = hashlib.new('md5') # nosec
else:
self._hash_algo = new_algo
except ValueError as e:
message = ('Unable to proceed with image {} as the '
'checksum indicator has been used but the '
'algorithm could not be identified. Error: '
'{}').format(image_info['id'], str(e))
LOG.error(message)
raise errors.RESTError(details=message)
self._expected_hash_value = checksum
else:
message = ('Unable to verify image {} with available checksums. '
'Please make sure the specified \'os_hash_algo\' '
'(currently {}) is supported by this ramdisk, or '
'provide a md5 checksum via the \'checksum\' '
'field'.format(image_info['id'],
image_info.get('os_hash_algo')))
LOG.error(message)
raise errors.RESTError(details=message)
if not retrieved_checksum:
# Fallback to retrieve the checksum if we didn't retrieve it
# earlier on.
self._expected_hash_value = _fetch_checksum(
self._expected_hash_value,
image_info)
details = []
for url in image_info['urls']:
try:
LOG.info("Attempting to download image from %s", url)
self._request = _download_with_proxy(image_info, url,
image_info['id'])
self._expected_size = self._request.headers.get(
'Content-Length')
except errors.ImageDownloadError as e:
failtime = time.time() - self._time
log_msg = ('URL: {}; time: {} '
'seconds. Error: {}').format(
url, failtime, e.secondary_message)
LOG.warning(log_msg)
details.append(log_msg)
continue
else:
break
else:
details = '\n '.join(details)
raise errors.ImageDownloadError(image_info['id'], details)
def __iter__(self):
"""Downloads and returns the next chunk of the image.
:returns: A chunk of the image. Size of chunk is IMAGE_CHUNK_SIZE
which is a constant in this module.
"""
self._last_chunk_time = None
for chunk in self._request.iter_content(IMAGE_CHUNK_SIZE):
# Per requests forum posts/discussions, iter_content should
# periodically yield to the caller for the client to do things
# like stopwatch and potentially interrupt the download.
# While this seems weird and doesn't exactly seem to match the
# patterns in requests and urllib3, it does appear to be the
# case. Field testing in environments where TCP sockets were
# discovered in a read hanged state were navigated with
# this code.
if chunk:
self._last_chunk_time = time.time()
if isinstance(chunk, str):
encoded_data = chunk.encode()
self._hash_algo.update(encoded_data)
self._bytes_transferred += len(encoded_data)
else:
self._hash_algo.update(chunk)
self._bytes_transferred += len(chunk)
yield chunk
elif (time.time() - self._last_chunk_time
> CONF.image_download_connection_timeout):
LOG.error('Timeout reached waiting for a chunk of data from '
'a remote server.')
raise errors.ImageDownloadError(
self._image_info['id'],
'Timed out reading next chunk from webserver')
def verify_image(self, image_location):
"""Verifies the checksum of the local images matches expectations.
If this function does not raise ImageChecksumError then it is very
likely that the local copy of the image was transmitted and stored
correctly.
:param image_location: The location of the local image.
:raises: ImageChecksumError if the checksum of the local image does
not match the checksum as reported by glance in image_info.
"""
checksum = self._hash_algo.hexdigest()
LOG.debug('Verifying image at %(image_location)s against '
'%(algo_name)s checksum %(checksum)s',
{'image_location': image_location,
'algo_name': self._hash_algo.name,
'checksum': checksum})
if checksum != self._expected_hash_value:
error_msg = errors.ImageChecksumError.details_str.format(
image_location, self._image_info['id'],
self._expected_hash_value, checksum)
LOG.error(error_msg)
raise errors.ImageChecksumError(image_location,
self._image_info['id'],
self._expected_hash_value,
checksum)
@property
def bytes_transferred(self):
"""Property value to return the number of bytes transferred."""
return self._bytes_transferred
@property
def content_length(self):
"""Property value to return the server indicated length."""
# If none, there is nothing we can do, the server didn't have
# a response.
return self._expected_size
def _download_image(image_info):
"""Downloads the specified image to the local file system.
:param image_info: Image information dictionary.
:raises: ImageDownloadError if the image download fails for any reason.
:raises: ImageChecksumError if the downloaded image's checksum does not
match the one reported in image_info.
"""
starttime = time.time()
image_location = _image_location(image_info)
for attempt in range(CONF.image_download_connection_retries + 1):
try:
image_download = ImageDownload(image_info, time_obj=starttime)
with open(image_location, 'wb') as f:
try:
for chunk in image_download:
f.write(chunk)
except Exception as e:
msg = 'Unable to write image to {}. Error: {}'.format(
image_location, str(e))
raise errors.ImageDownloadError(image_info['id'], msg)
image_download.verify_image(image_location)
except (errors.ImageDownloadError,
errors.ImageChecksumError) as e:
if attempt == CONF.image_download_connection_retries:
raise
else:
LOG.warning('Image download failed, %(attempt)s of %(total)s: '
'%(error)s',
{'attempt': attempt,
'total': CONF.image_download_connection_retries,
'error': e})
time.sleep(CONF.image_download_connection_retry_interval)
else:
break
totaltime = time.time() - starttime
LOG.info("Image downloaded from %(image_location)s "
"in %(totaltime)s seconds. Transferred %(size)s bytes. "
"Server originally reported: %(reported)s.",
{'image_location': image_location,
'totaltime': totaltime,
'size': image_download.bytes_transferred,
'reported': image_download.content_length})
def _validate_image_info(ext, image_info=None, **kwargs):
"""Validates the image_info dictionary has all required information.
:param ext: Object 'self'. Unused by this function directly, but left for
compatibility with async_command validation.
:param image_info: Image information dictionary.
:param kwargs: Additional keyword arguments. Unused, but here for
compatibility with async_command validation.
:raises: InvalidCommandParamsError if the data contained in image_info
does not match type and key:value pair requirements and
expectations.
"""
image_info = image_info or {}
checksum_avail = False
md5sum_avail = False
os_hash_checksum_avail = False
for field in ['id', 'urls']:
if field not in image_info:
msg = 'Image is missing \'{}\' field.'.format(field)
raise errors.InvalidCommandParamsError(msg)
if not isinstance(image_info['urls'], list) or not image_info['urls']:
raise errors.InvalidCommandParamsError(
'Image \'urls\' must be a list with at least one element.')
checksum = image_info.get('checksum')
if checksum is not None:
if (not isinstance(image_info['checksum'], str)
or not image_info['checksum']):
raise errors.InvalidCommandParamsError(
'Image \'checksum\' must be a non-empty string.')
if _is_checksum_url(checksum) or len(checksum) > 32:
# Checksum is a URL *or* a greater than 32 characters,
# putting it into the realm of sha256 or sha512 and not
# the MD5 algorithm.
checksum_avail = True
elif CONF.md5_enabled:
md5sum_avail = True
os_hash_algo = image_info.get('os_hash_algo')
os_hash_value = image_info.get('os_hash_value')
if os_hash_algo or os_hash_value:
if (not isinstance(os_hash_algo, str)
or not os_hash_algo):
raise errors.InvalidCommandParamsError(
'Image \'os_hash_algo\' must be a non-empty string.')
if (not isinstance(os_hash_value, str)
or not os_hash_value):
raise errors.InvalidCommandParamsError(
'Image \'os_hash_value\' must be a non-empty string.')
os_hash_checksum_avail = True
if not (checksum_avail or md5sum_avail or os_hash_checksum_avail):
raise errors.InvalidCommandParamsError(
'Image checksum is not available, either the \'checksum\' field '
'or the \'os_hash_algo\' and \'os_hash_value\' fields pair must '
'be set for image verification.')
def _validate_partitioning(device):
"""Validate the final partition table.
Check if after writing the image to disk we have a valid partition
table by trying to read it. This will fail if the disk is junk.
"""
disk_utils.partprobe(device)
try:
nparts = len(disk_utils.list_partitions(device))
except (processutils.UnknownArgumentError,
processutils.ProcessExecutionError, OSError) as e:
msg = ("Unable to find a valid partition table on the disk after "
f"writing the image. The image may be corrupted. Error: {e}")
raise exception.InstanceDeployFailure(msg)
# Check if there is at least one partition in the partition table after
# deploy
if not nparts:
msg = ("No partitions found on the device {} after writing "
"the image.".format(device))
raise exception.InstanceDeployFailure(msg)
class StandbyExtension(base.BaseAgentExtension):
"""Extension which adds stand-by related functionality to agent."""
def __init__(self, agent=None):
"""Constructs an instance of StandbyExtension.
:param agent: An optional IronicPythonAgent object. Defaults to None.
"""
super(StandbyExtension, self).__init__(agent=agent)
self.cached_image_id = None
self.partition_uuids = None
def _cache_and_write_image(self, image_info, device, configdrive=None):
"""Cache an image and write it to a local device.
:param image_info: Image information dictionary.
:param device: The disk name, as a string, on which to store the
image. Example: '/dev/sda'
:param configdrive: A string containing the location of the config
drive as a URL OR the contents (as gzip/base64)
of the configdrive. Optional, defaults to None.
:raises: ImageDownloadError if the image download fails for any reason.
:raises: ImageChecksumError if the downloaded image's checksum does not
match the one reported in image_info.
:raises: ImageWriteError if writing the image fails.
"""
_download_image(image_info)
self.partition_uuids = _write_image(image_info, device, configdrive)
self.cached_image_id = image_info['id']
def _stream_raw_image_onto_device(self, image_info, device):
"""Streams raw image data to specified local device.
:param image_info: Image information dictionary.
:param device: The disk name, as a string, on which to store the
image. Example: '/dev/sda'
:raises: ImageDownloadError if the image download encounters an error.
:raises: ImageChecksumError if the checksum of the local image does not
match the checksum as reported by glance in image_info.
"""
starttime = time.time()
total_retries = CONF.image_download_connection_retries
for attempt in range(total_retries + 1):
try:
image_download = ImageDownload(image_info, time_obj=starttime)
with open(device, 'wb+') as f:
try:
for chunk in image_download:
f.write(chunk)
except Exception as e:
msg = ('Unable to write image to device {}. '
'Error: {}').format(device, str(e))
raise errors.ImageDownloadError(image_info['id'], msg)
# Verify the checksum of the streamed image is correct while
# still in the retry loop, so we can retry should a checksum
# failure be detected.
image_download.verify_image(device)
except (errors.ImageDownloadError,
errors.ImageChecksumError) as e:
if attempt == CONF.image_download_connection_retries:
raise
else:
LOG.warning('Image download failed, %(attempt)s of '
'%(total)s: %(error)s',
{'attempt': attempt,
'total': total_retries,
'error': e})
time.sleep(CONF.image_download_connection_retry_interval)
else:
break
totaltime = time.time() - starttime
LOG.info("Image streamed onto device %(device)s in %(totaltime)s "
"seconds for %(size)s bytes. Server originally reported "
"%(reported)s.",
{'device': device, 'totaltime': totaltime,
'size': image_download.bytes_transferred,
'reported': image_download.content_length})
# Fix any gpt partition
try:
disk_utils.fix_gpt_partition(device, node_uuid=None)
except exception.InstanceDeployFailure:
# Note: the catch internal to the helper method logs any errors.
pass
# Fix the root partition UUID
root_uuid = disk_utils.block_uuid(device)
LOG.info("%(device)s UUID is now %(root_uuid)s",
{'device': device, 'root_uuid': root_uuid})
self.partition_uuids['root uuid'] = root_uuid
def _fix_up_partition_uuids(self, image_info, device):
if self.partition_uuids is None:
self.partition_uuids = {}
if image_info.get('image_type') == 'partition':
return
try:
root_uuid = disk_utils.get_disk_identifier(device)
except OSError as e:
LOG.warning('Failed to call get_disk_identifier: '
'Unable to obtain the root_uuid parameter: '
'The hexdump tool may be missing in IPA: %s', e)
else:
self.partition_uuids['root uuid'] = root_uuid
@base.async_command('prepare_image', _validate_image_info)
def prepare_image(self, image_info, configdrive=None):
"""Asynchronously prepares specified image on local OS install device.
In this case, 'prepare' means make local machine completely ready to
reboot to the image specified by image_info.
Downloads and writes an image to disk if necessary. Also writes a
configdrive to disk if the configdrive parameter is specified.
:param image_info: Image information dictionary.
:param configdrive: A string containing the location of the config
drive as a URL OR the contents (as gzip/base64)
of the configdrive. Optional, defaults to None.
:raises: ImageDownloadError if the image download encounters an error.
:raises: ImageChecksumError if the checksum of the local image does not
match the checksum as reported by glance in image_info.
:raises: ImageWriteError if writing the image fails.
:raises: InstanceDeployFailure if failed to create config drive.
large to store on the given device.
"""
LOG.debug('Preparing image %s', image_info['id'])
# NOTE(dtantsur): backward compatibility
if configdrive is None:
configdrive = image_info.pop('configdrive', None)
device = hardware.dispatch_to_managers('get_os_install_device',
permit_refresh=True)
requested_disk_format = image_info.get('disk_format')
stream_raw_images = image_info.get('stream_raw_images', False)
# don't write image again if already cached
if self.cached_image_id != image_info['id']:
if self.cached_image_id is not None:
LOG.debug('Already had %s cached, overwriting',
self.cached_image_id)
if stream_raw_images and requested_disk_format == 'raw':
if image_info.get('image_type') == 'partition':
# NOTE(JayF): This only creates partitions due to image
# being None
self.partition_uuids = _write_partition_image(None,
image_info,
device,
configdrive)
stream_to = self.partition_uuids['partitions']['root']
else:
self.partition_uuids = {}
stream_to = device
# NOTE(JayF): Images that claim to be raw are not inspected at
# all, as they never interact with qemu-img and are
# streamed directly to disk unmodified.
self._stream_raw_image_onto_device(image_info, stream_to)
else:
self._cache_and_write_image(image_info, device, configdrive)
_validate_partitioning(device)
# For partition images the configdrive creation is taken care by
# partition_utils.work_on_disk(), invoked from either
# _write_partition_image or _cache_and_write_image above.
# Handle whole disk images explicitly now.
if image_info.get('image_type') != 'partition':
if configdrive is not None:
# Will use dummy value of 'local' for 'node_uuid',
# if it is not available. This is to handle scenario
# wherein new IPA is being used with older version
# of Ironic that did not pass 'node_uuid' in 'image_info'
node_uuid = image_info.get('node_uuid', 'local')
partition_utils.create_config_drive_partition(node_uuid,
device,
configdrive)
self._fix_up_partition_uuids(image_info, device)
msg = 'image ({}) written to device {} '
result_msg = _message_format(msg, image_info, device,
self.partition_uuids)
LOG.info(result_msg)
return result_msg
def _run_shutdown_command(self, command):
"""Run the shutdown or reboot command
:param command: A string having the command to be run.
:raises: InvalidCommandParamsError if the passed command is not
equal to poweroff or reboot.
:raises: SystemRebootError if the command errors out with an
unsuccessful exit code.
"""
# TODO(TheJulia): When we have deploy/clean steps, we should remove
# this upon shutdown. The clock sync deploy step can run before
# completing other operations.
self._sync_clock(ignore_errors=True)
if command not in ('reboot', 'poweroff'):
msg = (('Expected the command "poweroff" or "reboot" '
'but received "%s".') % command)
raise errors.InvalidCommandParamsError(msg)
try:
self.sync()
except errors.CommandExecutionError as e:
LOG.warning('Failed to sync file system buffers: % s', e)
try:
_, stderr = utils.execute(command, use_standard_locale=True)
except processutils.ProcessExecutionError as e:
LOG.warning('%s command failed with error %s, '
'falling back to sysrq-trigger', command, e)
else:
if 'ignoring request' in stderr:
LOG.warning('%s command has been ignored, '
'falling back to sysrq-trigger', command)
else:
return
try:
if command == 'poweroff':
utils.execute("echo o > /proc/sysrq-trigger", shell=True)
elif command == 'reboot':
utils.execute("echo b > /proc/sysrq-trigger", shell=True)
except processutils.ProcessExecutionError as e:
raise errors.SystemRebootError(e.exit_code, e.stdout, e.stderr)
@base.async_command('run_image')
def run_image(self):
"""Runs image on agent's system via reboot."""
LOG.info('Rebooting system')
self._run_shutdown_command('reboot')
@base.async_command('power_off')
def power_off(self):
"""Powers off the agent's system."""
LOG.info('Powering off system')
self._run_shutdown_command('poweroff')
@base.sync_command('sync')
def sync(self):
"""Flush file system buffers forcing changed blocks to disk.
:raises: CommandExecutionError if flushing file system buffers fails.
"""
LOG.debug('Flushing file system buffers')
try:
utils.execute('sync')
except processutils.ProcessExecutionError as e:
error_msg = 'Flushing file system buffers failed. Error: %s' % e
LOG.error(error_msg)
raise errors.CommandExecutionError(error_msg)
@base.sync_command('get_partition_uuids')
def get_partition_uuids(self):
"""Return partition UUIDs."""
# NOTE(dtantsur): None means prepare_image hasn't been called (an empty
# dict is used for whole disk images).
if self.partition_uuids is None:
LOG.warning('No partition UUIDs recorded yet, prepare_image '
'has to be called before get_partition_uuids')
return self.partition_uuids or {}
# TODO(TheJulia): Once we have deploy/clean steps, this should
# become a step, which we ideally have enabled by default.
def _sync_clock(self, ignore_errors=False):
"""Sync the clock to a configured NTP server.
:param ignore_errors: Boolean option to indicate if the
errors should be fatal. This option
does not override the fail_if_clock_not_set
configuration option.
:raises: ClockSyncError if a failure is encountered and
errors are not ignored.
"""
try:
utils.sync_clock(ignore_errors=ignore_errors)
# Sync the system hardware clock from the software clock,
# as they are independent and the HW clock can still drift
# with long running ramdisks.
utils.execute('hwclock', '-v', '--systohc')
except (processutils.ProcessExecutionError,
errors.CommandExecutionError) as e:
msg = 'Failed to sync hardware clock: %s' % e
LOG.error(msg)
if CONF.fail_if_clock_not_set or not ignore_errors:
raise errors.ClockSyncError(msg)