Add support for using NVMe specific cleaning

This change adds support for utilising NVMe specific cleaning tools
on supported devices. This will remove the neccessity of using shred to
securely delete the contents of a NVMe drive and enable using nvme-cli
tools instead, improving cleaning performance and reducing wear on the device.

Story: 2008290
Task: 41168
Change-Id: I2f63db9b739e53699bd5f164b79640927bf757d7
This commit is contained in:
Jacob Anders 2021-01-22 11:47:00 +10:00
parent e7a372b017
commit b66471e39d
4 changed files with 41 additions and 7 deletions

View File

@ -32,6 +32,14 @@ opts = [
mutable=True, mutable=True,
help=_('Whether to support the use of ATA Secure Erase ' help=_('Whether to support the use of ATA Secure Erase '
'during the cleaning process. Defaults to True.')), 'during the cleaning process. Defaults to True.')),
cfg.BoolOpt('enable_nvme_secure_erase',
default=True,
mutable=True,
help=_('Whether to support the use of NVMe Secure Erase '
'during the cleaning process. Currently nvme-cli '
'format command is supported with user-data and '
'crypto modes, depending on device capabilities.'
'Defaults to True.')),
cfg.IntOpt('erase_devices_priority', cfg.IntOpt('erase_devices_priority',
mutable=True, mutable=True,
help=_('Priority to run in-band erase devices via the Ironic ' help=_('Priority to run in-band erase devices via the Ironic '
@ -66,12 +74,12 @@ opts = [
cfg.BoolOpt('continue_if_disk_secure_erase_fails', cfg.BoolOpt('continue_if_disk_secure_erase_fails',
default=False, default=False,
mutable=True, mutable=True,
help=_('Defines what to do if an ATA secure erase operation ' help=_('Defines what to do if a secure erase operation '
'fails during cleaning in the Ironic Python Agent. ' '(NVMe or ATA) fails during cleaning in the Ironic '
'If False, the cleaning operation will fail and the ' 'Python Agent. If False, the cleaning operation will '
'node will be put in ``clean failed`` state. ' 'fail and the node will be put in ``clean failed`` '
'If True, shred will be invoked and cleaning will ' 'state. If True, shred will be invoked and cleaning '
'continue.')), 'will continue.')),
cfg.IntOpt('disk_erasure_concurrency', cfg.IntOpt('disk_erasure_concurrency',
default=1, default=1,
min=1, min=1,

View File

@ -308,7 +308,16 @@ def agent_add_clean_params(task):
zeroize = CONF.deploy.shred_final_overwrite_with_zeros zeroize = CONF.deploy.shred_final_overwrite_with_zeros
info['agent_erase_devices_zeroize'] = zeroize info['agent_erase_devices_zeroize'] = zeroize
erase_fallback = CONF.deploy.continue_if_disk_secure_erase_fails erase_fallback = CONF.deploy.continue_if_disk_secure_erase_fails
info['agent_continue_if_secure_erase_failed'] = erase_fallback
# NOTE(janders) ``agent_continue_if_ata_erase_failed`` is deprecated and
# will be removed in the "Y" cycle. The replacement option
# ``agent_continue_if_secure_erase_failed`` is used to control shred
# fallback for both ATA Secure Erase and NVMe Secure Erase.
# The ``agent_continue_if_ata_erase_failed`` line can
# be deleted along with this comment when support for it is fully removed.
info['agent_continue_if_ata_erase_failed'] = erase_fallback info['agent_continue_if_ata_erase_failed'] = erase_fallback
nvme_secure_erase = CONF.deploy.enable_nvme_secure_erase
info['agent_enable_nvme_secure_erase'] = nvme_secure_erase
secure_erase = CONF.deploy.enable_ata_secure_erase secure_erase = CONF.deploy.enable_ata_secure_erase
info['agent_enable_ata_secure_erase'] = secure_erase info['agent_enable_ata_secure_erase'] = secure_erase
info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency info['disk_erasure_concurrency'] = CONF.deploy.disk_erasure_concurrency

View File

@ -1147,6 +1147,7 @@ class AgentMethodsTestCase(db_base.DbTestCase):
'deploy') 'deploy')
cfg.CONF.set_override('enable_ata_secure_erase', False, 'deploy') cfg.CONF.set_override('enable_ata_secure_erase', False, 'deploy')
cfg.CONF.set_override('disk_erasure_concurrency', 8, 'deploy') cfg.CONF.set_override('disk_erasure_concurrency', 8, 'deploy')
cfg.CONF.set_override('enable_nvme_secure_erase', False, 'deploy')
with task_manager.acquire( with task_manager.acquire(
self.context, self.node.uuid, shared=False) as task: self.context, self.node.uuid, shared=False) as task:
utils.agent_add_clean_params(task) utils.agent_add_clean_params(task)
@ -1155,11 +1156,13 @@ class AgentMethodsTestCase(db_base.DbTestCase):
self.assertIs(False, task.node.driver_internal_info[ self.assertIs(False, task.node.driver_internal_info[
'agent_erase_devices_zeroize']) 'agent_erase_devices_zeroize'])
self.assertIs(True, task.node.driver_internal_info[ self.assertIs(True, task.node.driver_internal_info[
'agent_continue_if_ata_erase_failed']) 'agent_continue_if_secure_erase_failed'])
self.assertIs(False, task.node.driver_internal_info[ self.assertIs(False, task.node.driver_internal_info[
'agent_enable_ata_secure_erase']) 'agent_enable_ata_secure_erase'])
self.assertEqual(8, task.node.driver_internal_info[ self.assertEqual(8, task.node.driver_internal_info[
'disk_erasure_concurrency']) 'disk_erasure_concurrency'])
self.assertIs(False, task.node.driver_internal_info[
'agent_enable_nvme_secure_erase'])
@mock.patch('ironic.conductor.utils.is_fast_track', autospec=True) @mock.patch('ironic.conductor.utils.is_fast_track', autospec=True)
@mock.patch.object(pxe.PXEBoot, 'prepare_ramdisk', autospec=True) @mock.patch.object(pxe.PXEBoot, 'prepare_ramdisk', autospec=True)

View File

@ -0,0 +1,14 @@
---
features:
- |
Adds the ``[deploy]enable_nvme_secure_erase`` option which allows the
operator to enable NVMe format option for all nodes being managed by
the conductor.
deprecations:
- |
Deprecates ATA specific ``agent_continue_if_ata_erase_failed`` agent's
option which is replaced with ``agent_continue_if_secure_erase_failed``.
The new option supports both ATA and NVMe secure erase. In order to ensure
a smooth migration to the new configuration option, the operators need to
upgrade Ironic Python Agent image to Wallaby release prior to upgrading
Ironic Conductor to Xena.