baremetal: refuse to inspect associated machines

Automatically inspecting "available" machines is a controversial feature, since it enables "stealing" a machine that Nova already picked for deployment. To reduce this probability, refuse to inspect nodes with instance_uuid set. Also finish the incomplete comment. Change-Id: I6cde6a6f9303f2a21efcfce979ffc0c1fea4bdb3
2018-05-18 12:11:06 +02:00 · 2018-05-18 12:11:06 +02:00 · f19d58a728
commit f19d58a728
parent ab8f602649
3 changed files with 35 additions and 2 deletions
--- a/openstack/cloud/openstackcloud.py
+++ b/openstack/cloud/openstackcloud.py
@ -8912,9 +8912,17 @@ class OpenStackCloud(_normalize.Normalizer):
            raise exc.OpenStackCloudException(
                "Machine inspection failed to find: %s." % name_or_id)

-        # NOTE(TheJulia): If in available state, we can do this, however
-        # We need to to move the host back to m
+        # NOTE(TheJulia): If in available state, we can do this. However,
+        # we need to to move the machine back to manageable first.
        if "available" in machine['provision_state']:
+            if machine['instance_uuid']:
+                raise exc.OpenStackCloudException(
+                    "Refusing to inspect available machine %(node)s "
+                    "which is associated with an instance "
+                    "(instance_uuid %(inst)s)" %
+                    {'node': machine['uuid'],
+                     'inst': machine['instance_uuid']})
+
            return_to_available = True
            # NOTE(TheJulia): Changing available machine to managedable state
            # and due to state transitions we need to until that transition has
--- a/openstack/tests/unit/cloud/test_baremetal_node.py
+++ b/openstack/tests/unit/cloud/test_baremetal_node.py
@ -222,6 +222,26 @@ class TestBaremetalNode(base.IronicTestCase):

        self.assert_calls()

+    def test_inspect_machine_fail_associated(self):
+        self.fake_baremetal_node['provision_state'] = 'available'
+        self.fake_baremetal_node['instance_uuid'] = '1234'
+        self.register_uris([
+            dict(method='GET',
+                 uri=self.get_mock_url(
+                     resource='nodes',
+                     append=[self.fake_baremetal_node['uuid']]),
+                 json=self.fake_baremetal_node),
+        ])
+        self.assertRaisesRegex(
+            exc.OpenStackCloudException,
+            'associated with an instance',
+            self.cloud.inspect_machine,
+            self.fake_baremetal_node['uuid'],
+            wait=True,
+            timeout=1)
+
+        self.assert_calls()
+
    def test_inspect_machine_failed(self):
        inspecting_node = self.fake_baremetal_node.copy()
        self.fake_baremetal_node['provision_state'] = 'inspect failed'
--- a/releasenotes/notes/no-inspect-associated-563e272785bb6016.yaml
+++ b/releasenotes/notes/no-inspect-associated-563e272785bb6016.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Machine inspection is now blocked for machines associated with an instance.
+    This is to avoid "stealing" a machine from under a provisioner (e.g. Nova).