12960 Commits

Author SHA1 Message Date
Dmitry Tantsur
d8440aac9e
Try limiting MTU to at least 1280
Change-Id: If8f9907df62019b3cf6d6df7d83d5ff421f6be65
(cherry picked from commit 510f87a033ce5f76a7aa881f56b2bd9958c8582f)
2024-09-12 17:06:14 +02:00
Zuul
8293efd983 Merge "CVE-2024-44982: Harden all image handling and conversion code" into stable/2024.1 24.1.2 2024-09-05 08:39:42 +00:00
Julia Kreger
f7c7ea935a CVE-2024-44982: Harden all image handling and conversion code
It was recently learned by the OpenStack community that running qemu-img
on un-trusted images without a format pre-specified can present a
security risk. Furthermore, some of these specific image formats have
inherently unsafe features. This is rooted in how qemu-img operates
where all image drivers are loaded and attempt to evaluate the input data.
This can result in several different vectors which this patch works to
close.

This change imports the qemu-img handling code from Ironic-Lib into
Ironic, and image format inspection code, which has been developed by
the wider community to validate general safety of images before converting
them for use in	a deployment.

This patch contains functional changes related to the hardening of these
calls including how images are handled, and updates documentation to
provide context and guidance to operators.

Closes-Bug: 2071740
Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
2024-09-04 15:19:31 -07:00
Julia Kreger
f33949e378 CI: Disable metal3-integration test job
The metal3-integration CI job is not smart enough to know which
branches to pull for it to correctly test the branch, and so it
should be disabled on this branch.

Change-Id: If04a5b97722cc1a8e125c3348e09339c3a7ce0eb
(cherry picked from commit 4cb0af7fd6e9afa8fe8a3b2a2e47427929068843)
2024-09-04 11:01:07 -07:00
Riccardo Pittau
25c78951a1 [CI][stable only] fix zuul config
Change-Id: Iebfc1aa95b96c7c20cd1abe2d03b6b302a1a076a
2024-08-20 15:07:19 +02:00
Riccardo Pittau
9ac8417966 [CI] Fix job parent name
ironic-tempest-partition-uefi-redfish-vmedia was renamed to
ironic-tempest-uefi-redfish-vmedia a long time ago

Change-Id: Iaa63e9cf12d47667955973033586fa65dd18e6b7
(cherry picked from commit 3f34f04bf0c46173bbc9d865bd0b001b87ab592d)
2024-08-08 12:28:09 +00:00
Julia Kreger
84fb43b81b fix: Fix class typo for portgroup. Portgroup instead of PortGroup
Apparently, this has been around for ages, btu the error was likely
not exactly right as a result of this. Anyway, quick fix.

Change-Id: Idee3c1edfdd65928eaa5f8d30b62474d85dec277
(cherry picked from commit eaa0521bee0997f0d30641825e0ac2af9c1ace09)
2024-06-18 19:37:04 +00:00
Curt Moore
55987f2697 Correct bond_mode enum value for 802.3ad
Change-Id: Ic7162f7d04673bfc5b2dec575b2bdffbc6ea0fe8
(cherry picked from commit b00c4996503b5236ebb1c745cce8949cdfaa43a4)
2024-06-12 11:44:06 +00:00
Zuul
910819efce Merge "Inject a randomized publisher id" into stable/2024.1 2024-05-15 16:29:27 +00:00
Takashi Kajinami
4e09e6dc53 Remove SQLAlchemy tips jobs
The most recent SQLAlchemy and Alembic versions are now in
upper-constraints. As a result, this job has served its purpose and can
be removed. For more information, see [1].

[1] https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/RBHXHTO3GUOOXVSZXD4C2O3TKDOH2QSC/

Co-Authored-By: Stephen Finucane <stephenfin@redhat.com>
Change-Id: I51fe54d10f7b1c8fa9052f6e382a97861f469859
(cherry picked from commit a27f29fb4c20b9cb1de4a3d22caa76d631a13dc2)
2024-05-15 03:43:04 +00:00
Julia Kreger
f0b6238819 Fix spurious CI job failures around partition images
Cirros partition images have some underlying limitations,
meaning it is not ideal for any step which requires the image
to hae commands executed in it to perform operations, such as
mounting additional filesystems in UEFI mode, or installing
grub in BIOS mode.

This is because cirros images are an unpacked ramdisk, in other
words, the posted disk image *has no* contents on the root
filesystem of the image. While we attempt to unpack[0] this as well,
this can also fail creating false failures resulting in check
jobs failing and then working on recheck.

As the constraint is the same as the BIOS mode check, and there
is no realistic fix, this change removes the boot mode check and
thus always disables partition image testing with tempest *when*
cirros is in use.

note 0: We presently unpack using a virtual machine launch so it
takes place with the same process as when cirros starts, however
linux doesn't always boot, and the tools don't really determine
if that is the case or not, and if we retool it, we should just
move to a direct extraction and image re-pack.

Change-Id: I7687ff1eddb14d22b981860d4c4c9b172bae45b7
(cherry picked from commit 8d0b556e3d61bcaf01a4a72b470b4cadfde352f1)
2024-05-08 23:17:02 +00:00
Julia Kreger
78c1d9a98d Inject a randomized publisher id
To serve as a mechanism to allow an interlocking device identification
this patch injects a publisher id value into ISO images *and* the kernel
command line for any software running from the ISO image to match
the ISO in use to the location of data housed locally from within the
image.

Related-Bug: 2032377
Change-Id: I9b74ec977fabc0a7f8ed6f113595a3f1624f6ee6
(cherry picked from commit fb850e7f005e0ef4b5c489b8c2b245791d0d33eb)
2024-05-01 15:00:23 +00:00
Zuul
1efa611460 Merge "Redfish: fix error formatting when mounting vmedia" into stable/2024.1 2024-04-29 17:28:16 +00:00
Zuul
8ff518f148 Merge "Fix the confusion around service_reboot/servicing_reboot" into stable/2024.1 2024-04-29 16:31:56 +00:00
Dmitry Tantsur
394ee3763b Redfish: fix error formatting when mounting vmedia
Also add missing error into the message.

Change-Id: I9610add40afbb7beb30d375a3a455434f5446cc7
(cherry picked from commit f43587effd68a0842fa3946dc165faccc8a925f2)
2024-04-29 14:41:55 +00:00
Riccardo Pittau
5026e30797 Fix attach/detach vmedia redfish implementation
We need to map with virtual media devices and not boot
devices only.

Change-Id: I88b56ae26d9f1d8642ed6ffc5c055f8d56f6939a
(cherry picked from commit c1f3daf7b0006bd555b950a0cd0dfe8a04878ec7)
2024-04-24 11:46:23 +02:00
Riccardo Pittau
d31ea3d051 Fix redfish detach generic vmedia device method
Fixes usage of redfish detach virtual media feature to be conform to
the general implementation.
Before the detach virtual media API call using redfish driver was not
working as intended and caused the operation to fail.

The method implementation was allowing only a single device_type
while it should be multiple devices to match the conductor manager
implementation.

Change-Id: I9edd3b77eeb3ec1b0484d4e6f0c6dea53e83f9ad
(cherry picked from commit 58fc21fc0b0ab7beb5a74654455265b95cc25a28)
2024-04-19 12:56:57 +00:00
Jacob Anders
22666a889f Add states.SERVICING and SERVICEWAIT to _FASTTRACK_HEARTBEAT_ALLOWED
Currently, service steps may fail to start in scenarios dependent on IPA
fasttrack. This change attempts to resolve this by incorporating
servicing states in the fast track allowed states whitelist while also
making _FASTTRACK_HEARTBEAT_ALLOWED a superset of _HEARTBEAT_ALLOWED
instead of duplicating values in the two constants.

Change-Id: I47984469c1432e7fc7b4f1494b9f6c551c34672f
(cherry picked from commit 619e1ac80ccc6f20e32a2a80d31637dd45d6d45b)
2024-04-17 10:36:02 +00:00
Alexon Oliveira
438fd6220a Remove deprecation warning by setting schema
Closes-Bug: #2061160

Change-Id: Ie5af73dd1b8af29734d1cf34b070e2a2bbc09949
Signed-off-by: Alexon Oliveira <alolivei@redhat.com>
(cherry picked from commit 668dd24108f63418c7dae4df16526acbfd8daf9c)
2024-04-16 19:21:30 +00:00
Dmitry Tantsur
2638b6c009 Fix the confusion around service_reboot/servicing_reboot
We ended up using two names for the same flag (and forgot it in one
place completely). To not just fix the issue but also prevent it in the
future, refactor asynchronous steps handling into a new helper module
with constants and helper functions.

I've settled on servicing_reboot as opposed to service_reboot because
that's the value we currently set (but not read), so it provides
better compatibility when backporting.

Remove excessive mocking in the Redfish unit tests.

Change-Id: I32b5f860b5d10864ce68f8d5f1dac3f76cd158d6
(cherry picked from commit 004e78c41368a3bb037726ce0c1ff550436a5717)
2024-04-16 07:48:25 +00:00
Dmitry Tantsur
7b6e58a5ac Fix servicing clean-up
Serious issues:
- Nothing powers on nodes after servicing, so they end up active and
  powered off in the end.
- Restoring power state was done three times.

Minor issues:
- Function _tear_down_node_servicing is called twice causing a traceback.
- Furthermore, process_event('done') is also called in another place
  in deploy utils.
- Make sure nodes are never considered for fast-track when servicing, it
  prevents clean-up of virtual media devices.

Change-Id: I92fd7a0009a816e93e316e4674c7509b61a474d4
(cherry picked from commit 6c8673c1b495095a0c92e0323976f3bc3834ac08)
2024-04-16 07:48:15 +00:00
Zuul
4081a71633 Merge "Handle servicing failures in the Redfish BIOS interface" into stable/2024.1 2024-04-15 10:31:32 +00:00
Dmitry Tantsur
5733379b62 Handle servicing failures in the Redfish BIOS interface
Change-Id: I58a27ec9e3646b143fc0874f033849056848c411
(cherry picked from commit c61c7fabe34be86c17710db4dea9d111acba477c)
2024-04-12 14:42:31 +00:00
Dmitry Tantsur
5f9ceb492d Fix get_async_step_return_state to account for servicing
Change-Id: I502be5613ffef7c2f51eafd0a10d5e9c5d5ec2a4
(cherry picked from commit c1ce255f010983b5f525bc38d2f3a0a7a34176b0)
2024-04-12 11:50:37 +00:00
Zuul
df29eef628 Merge "Add states.SERVICING and SERVICEWAIT to need_prepare_ramdisk" into stable/2024.1 2024-04-12 08:50:32 +00:00
Dmitry Tantsur
9bfe422f78 Stop assuming service steps have priorities
Unlike clean, deploy and verify steps, service steps cannot run
automatically and thus do not have a usable notion of priority. It's not
possible to provide a priority through the API but our validation code
still requires it. This change gets rid of most priority handling for
service steps, leaving only some foundation for future enhancements.

Change-Id: I82aefc03a5c062b67e0f457612fe568399226dc8
(cherry picked from commit 22aa29b864eecd00bfb7c67cc2075030da1eb1d0)
2024-04-11 12:40:13 +00:00
Jacob Anders
fab3772cbd Add states.SERVICING and SERVICEWAIT to need_prepare_ramdisk
Currently, service steps do not work with virtual media deployments
because states.SERVICING and states.SERVICEWAIT are missing from the whitelist
of valid provision_states. This change resolves this issue.

Change-Id: I5e3ec08d128b35385f2d90c9c852140b757b8dbf
(cherry picked from commit 70ccb6af111186431b898c4dc6c1c3e6564ab1d7)
2024-04-10 09:22:46 +00:00
Dmitry Tantsur
ac2c86861f Fix generating local paths when connecting virtual media
The generate path does not contain the node UUID, causing conflicts.

Also make sure to always clean up any existing files first.

Change-Id: I30f948d64e7b87f33841dc22828db60338a62dd8
(cherry picked from commit a9a4fff71c15e6192e06652d64a1048bd5c2633d)
2024-04-09 09:05:06 +00:00
Riccardo Pittau
31c6de0982 Update min required version of scciclient
For compatibility with pysnmp-lextudio and pyasn1 we increase the
minimum required version of python-scciclient to latest available.
Also capping proliantutils to avoid breaking changes.

Change-Id: I64587d24383dc05927135d7e7e3a2a6975a58558
(cherry picked from commit 388b9ddcacc6539433fe2d37534414126dd47826)
24.1.1
2024-03-25 07:55:19 +00:00
0d0ed8b0ff Update TOX_CONSTRAINTS_FILE for stable/2024.1
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.

Until the requirements repository has as stable/2024.1 branch, tests will
continue to use the upper-constraints list on master.

Change-Id: I312d0d2a1e049a76e00075d9d40ff113af258bf5
2024-03-19 15:25:13 +00:00
702272742c Update .gitreview for stable/2024.1
Change-Id: I9e659f9d4d1aff6d93d567684d9cd423228277c0
2024-03-19 15:25:10 +00:00
Zuul
99b1f9c479 Merge "Bump proliantutils for pyasn1 compatibility" 24.1.0 2024-03-18 16:46:53 +00:00
Zuul
5c00b7cf0b Merge "Fix data length exceeding limit error" 2024-03-18 14:40:05 +00:00
Riccardo Pittau
d57e113605 Bump proliantutils for pyasn1 compatibility
Latest version moves back to lextduio pysnmp keeping pyasn1
as dependency.

Change-Id: I042a74eccacd6f358daf04d4ccbd53390bcc8df8
2024-03-18 10:14:23 +01:00
Zuul
60e780fe15 Merge "Ignore generated config/policy file" 2024-03-17 23:05:39 +00:00
Zuul
0237392002 Merge "Fix artifical rbac policy constraint that resulted in 500s" 2024-03-17 21:33:45 +00:00
CID
ef8bca007d Fix data length exceeding limit error
This commit increases the length of the 'user' column to
accommodate longer UUIDs, ensuring that the full user UUIDs are stored
without exceeding the column limit.

Closes-Bug: #2054594
Change-Id: I59b435ca2bb5850bb2338228b64868c2003bfea3
2024-03-16 22:26:15 +00:00
Jay Faulkner
10785a0550 Release mappings for 23.1, 24.0, 24.1/2024.1
Release mappings! We made a Caracal!

Change-Id: I0106d43080746e1b159f4a54e6808d477cfbef44
2024-03-15 11:44:13 -07:00
Zuul
8922c79b7c Merge "Support more standard way of passing lists via query strings" 2024-03-15 14:09:31 +00:00
Zuul
2f71e5d512 Merge "Update regex to detect closed branch" 2024-03-15 01:58:15 +00:00
Zuul
f2257d33db Merge "docs: augment admin troubleshooting docs for system scope context" 2024-03-15 01:58:12 +00:00
Zuul
64595e704a Merge "Release notes prelude for 2024.1/24.1" 2024-03-15 01:58:07 +00:00
Zuul
96565b6894 Merge "Tempest test with only wholedisk for some jobs" 2024-03-15 00:46:31 +00:00
Zuul
bf1aadf2bc Merge "Allow usage of virtual media via System" 2024-03-14 22:14:59 +00:00
Zuul
16b0ea709a Merge "Implement generic redfish vmedia attach detach" 2024-03-14 21:39:50 +00:00
Iury Gregory Melo Ferreira
10ebbe74da Tempest test with only wholedisk for some jobs
Changing the ironic-tempest-uefi-redfish-vmedia and
ironic-tempest-ovn-uefi-ipmi-pxe jobs to only run
tempest test_baremetal_server_ops_wholedisk_image.

We saw failures on the partition tests for this jobs.

Related-Bug: #2057972
Change-Id: I2e26d7955ade11046bf89b6f4c9c2c4f16da1574
2024-03-14 18:39:39 -03:00
Jay Faulkner
0c735264d6 Release notes prelude for 2024.1/24.1
Change-Id: If17630cccd4e61d4c966deec6ff473a50752eeb2
2024-03-14 20:12:15 +00:00
Zuul
8fa1de8ab0 Merge "[codespell] Adding CI target for Tox Codespell" 2024-03-14 17:38:09 +00:00
Zuul
4aa096877e Merge "[codespell] Adding Tox Target for Codespell" 2024-03-14 17:13:10 +00:00
Zuul
df9e1ba80e Merge "[codespell] Fixing Spelling Mistakes" 2024-03-14 17:13:05 +00:00