1d5c45d703
This is a backport of two changes merged together to facilitate
backporting:
The first is a refactor of disk utilities:
Import disk_{utils,partitioner} from ironic-lib
With the iscsi deploy long gone, these modules are only used in IPA and
in fact represent a large part of its critical logic. Having them
separately sometimes makes fixing issues tricky if an interface of
a function needs changing.
This change imports the code mostly as it is, just removing run_as_root and
a deprecated function, as well as moving configuration options to config.py.
Also migrates one relevant function from ironic_lib.utils.
The second is the fix for the security issue:
Inspect non-raw images for safety
When IPA gets a non-raw image, it performs an on-the-fly conversion
using qemu-img convert, as well as running qemu-img frequently to get
basic information about the image before validating it.
Now, we ensure that before any qemu-img calls are made, that we have
inspected the image for safety and pass through the detected format.
If given a disk_format=raw image and image streaming is enabled
(default), we retain the existing behavior of not inspecting it in
any way and streaming it bit-perfect to the device. In this case, we
never use qemu-based tools on the image at all.
If given a disk_format=raw image and image streaming is disabled, this
change fixes a bug where the image may have been converted if it was not
actually raw in the first place. We now stream these bit-perfect to the
device.
Adds two config options:
- [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in
order to disable all security features. Do not do this.
- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types
IPA should accept.
Both of these configuration options are wired up to be set by the lookup
data returned by Ironic at lookup time.
This uses a image format inspection module imported from Nova; this
inspector will eventually live in oslo.utils, at which point we'll
migrate our usage of the inspector to it.
Closes-Bug: #2071740
Co-Authored-By: Dmitry Tantsur <dtantsur@protonmail.com>
Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7
|
||
|---|---|---|
| doc | ||
| examples | ||
| imagebuild | ||
| ironic_python_agent | ||
| releasenotes | ||
| tools | ||
| zuul.d | ||
| .git-blame-ignore-revs | ||
| .gitignore | ||
| .gitreview | ||
| .stestr.conf | ||
| bindep.txt | ||
| CONTRIBUTING.rst | ||
| LICENSE | ||
| plugin-requirements.txt | ||
| README.rst | ||
| requirements.txt | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
Ironic Python Agent
Team and repository tags
Overview
An agent for controlling and deploying Ironic controlled baremetal nodes.
The ironic-python-agent works with the agent driver in Ironic to provision the node. Starting with ironic-python-agent running on a ramdisk on the unprovisioned node, Ironic makes API calls to ironic-python-agent to provision the machine. This allows for greater control and flexibility of the entire deployment process.
The ironic-python-agent may also be used with the original Ironic pxe drivers as of the Kilo OpenStack release.
Building the IPA deployment ramdisk
For more information see the Image Builder section of the Ironic Python Agent developer guide.
Using IPA with devstack
This is covered in the Deploying Ironic with DevStack section of the Ironic dev-quickstart guide.
Project Resources
Project bugs are tracked on Launchpad:
Developer documentation can be found here:
Release notes for the project are available at:
https://docs.openstack.org/releasenotes/ironic-python-agent/
Source code repository for the project is located at:
- IRC channel:
-
#openstack-ironic on irc.oftc.net
To contribute, start here: Openstack: How to contribute.