Go to file

Jay Faulkner e303a369dc Inspect non-raw images for safety

When IPA gets a non-raw image, it performs an on-the-fly conversion
using qemu-img convert, as well as running qemu-img frequently to get
basic information about the image before validating it.

Now, we ensure that before any qemu-img calls are made, that we have
inspected the image for safety and pass through the detected format.

If given a disk_format=raw image and image streaming is enabled
(default), we retain the existing behavior of not inspecting it in
any way and streaming it bit-perfect to the device. In this case, we
never use qemu-based tools on the image at all.

If given a disk_format=raw image and image streaming is disabled, this
change fixes a bug where the image may have been converted if it was not
actually raw in the first place. We now stream these bit-perfect to the
device.

Adds two config options:
- [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in
  order to disable all security features. Do not do this.
- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types
  IPA should accept.

Both of these configuration options are wired up to be set by the lookup
data returned by Ironic at lookup time.

This uses a image format inspection module imported from Nova; this
inspector will eventually live in oslo.utils, at which point we'll
migrate our usage of the inspector to it.

Closes-Bug: #2071740
Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7

2024-09-04 09:11:28 -07:00

doc

update dynamic-login to mention the sshkey option

2024-07-31 12:22:31 -05:00

examples

[codespell] Fix spelling issues in IPA

2023-12-28 10:54:46 -08:00

imagebuild

Remove imagebuild/common, it's not longer used by IPA-builder

2019-10-16 14:14:13 +02:00

ironic_python_agent

Inspect non-raw images for safety

2024-09-04 09:11:28 -07:00

releasenotes

Inspect non-raw images for safety

2024-09-04 09:11:28 -07:00

tools

Adds bandit template and exclude some of tests

2019-06-20 14:39:36 +08:00

zuul.d

Remove and disable examples job

2024-09-04 09:11:28 -07:00

.git-blame-ignore-revs

[codespell] Adding git-blame-ignore-revs to clear codespell changes

2024-01-25 01:49:11 +00:00

.gitignore

Remove the configuration sample file

2019-12-02 12:11:58 +01:00

.gitreview

OpenDev Migration Patch

2019-04-19 19:48:56 +00:00

.stestr.conf

Migrate to stestr as unit tests runner

2017-09-26 09:23:53 -07:00

bindep.txt

Drop python2 from bindep.txt

2022-06-30 23:33:05 +00:00

CONTRIBUTING.rst

Ironic (and IPA) use launchpad now

2023-05-17 15:38:57 -07:00

LICENSE

add license file

2013-09-17 13:41:59 -07:00

plugin-requirements.txt

Update hardware to 0.24,0

2020-01-15 12:44:31 +01:00

README.rst

Ironic (and IPA) use launchpad now

2023-05-17 15:38:57 -07:00

requirements.txt

Remove old excludes

2024-04-30 22:46:45 +09:00

setup.cfg

Fix issues caused/found by new codespell

2024-05-23 15:49:48 -07:00

setup.py

Fix for tox4 and setuptools

2023-01-02 14:40:35 +01:00

test-requirements.txt

Remove old excludes

2024-04-30 22:46:45 +09:00

tox.ini

Force constraints when installing a package during tox test

2024-02-12 14:59:39 +01:00

README.rst

Ironic Python Agent

Team and repository tags

Overview

An agent for controlling and deploying Ironic controlled baremetal nodes.

The ironic-python-agent works with the agent driver in Ironic to provision the node. Starting with ironic-python-agent running on a ramdisk on the unprovisioned node, Ironic makes API calls to ironic-python-agent to provision the machine. This allows for greater control and flexibility of the entire deployment process.

The ironic-python-agent may also be used with the original Ironic pxe drivers as of the Kilo OpenStack release.

Building the IPA deployment ramdisk

For more information see the Image Builder section of the Ironic Python Agent developer guide.

Using IPA with devstack

This is covered in the Deploying Ironic with DevStack section of the Ironic dev-quickstart guide.

Project Resources

Project bugs are tracked on Launchpad:

https://bugs.launchpad.net/ironic-python-agent/+bugs

Developer documentation can be found here:

https://docs.openstack.org/ironic-python-agent/latest/

Release notes for the project are available at:

https://docs.openstack.org/releasenotes/ironic-python-agent/

Source code repository for the project is located at:

https://opendev.org/openstack/ironic-python-agent/

IRC channel:: #openstack-ironic on irc.oftc.net

To contribute, start here: Openstack: How to contribute.