Configure cleaning parameters

Adds new parameter cleaning_disk_erase which, if set, configures
appropriate clean steps to achieve either full erasure, erasure of
disk metadata or no erasing actions.

Also allow configuring whether to fall back from hard disk shredding
if ATA secure erase fails for some reason.

Change-Id: I5fdaa2ee115bc850df3d1efec2d2aa8ac2c4062e

manifests/conductor.pp

@@ -52,6 +52,19 @@
 #   to a ramdisk for cleaning using Neutron DHCP.
 #   Defaults to $::os_service_default
 #
+# [*cleaning_disk_erase*]
+#   (optional) Whether and how to erase hard drives during automated cleaning.
+#   Accepts the following values:
+#   * full - erase all data from all disks,
+#   * metadata - erase only metadata (partitioning table, etc),
+#   * none - do not erase anything (dangerous, use with caution).
+#   Defaults to undef, which leaves the configuration intact
+#
+# [*continue_if_disk_secure_erase_fails*]
+#   (optional) Whether to continue with shredding the hard drive if secure ATA
+#   erasure fails. Only makes sense if full hard disk erasing is enabled.
+#   Defaults to $::os_service_default
+#
 # [*api_url*]
 #   (optional) Ironic API URL.
 #   Defaults to $::os_service_default
@@ -69,6 +82,8 @@ class ironic::conductor (
   $automated_clean                      = $::os_service_default,
   $swift_account                        = $::os_service_default,
   $cleaning_network_uuid                = $::os_service_default,
+  $cleaning_disk_erase                  = undef,
+  $continue_if_disk_secure_erase_fails  = $::os_service_default,
   $api_url                              = $::os_service_default,
   $provisioning_network_uuid            = $::os_service_default,
 ) {
@@ -77,6 +92,29 @@ class ironic::conductor (
 
   Ironic_config<||> ~> Service['ironic-conductor']
 
+  if $cleaning_disk_erase {
+    validate_re($cleaning_disk_erase, ['^full$', '^metadata$', '^none$'])
+  }
+
+  case $cleaning_disk_erase {
+    'full': {
+      $erase_devices_priority = 10
+      $erase_devices_metadata_priority = 0
+    }
+    'metadata': {
+      $erase_devices_priority = 0
+      $erase_devices_metadata_priority = 10
+    }
+    'none': {
+      $erase_devices_priority = 0
+      $erase_devices_metadata_priority = 0
+    }
+    default: {
+      $erase_devices_priority = $::os_service_default
+      $erase_devices_metadata_priority = $::os_service_default
+    }
+  }
+
   # Configure ironic.conf
   ironic_config {
     'conductor/max_time_interval': value => $max_time_interval;
@@ -86,6 +124,9 @@ class ironic::conductor (
     'glance/swift_account': value => $swift_account;
     'neutron/cleaning_network_uuid': value => $cleaning_network_uuid;
     'neutron/provisioning_network_uuid': value => $provisioning_network_uuid;
+    'deploy/erase_devices_priority': value => $erase_devices_priority;
+    'deploy/erase_devices_metadata_priority': value => $erase_devices_metadata_priority;
+    'deploy/continue_if_disk_secure_erase_fails': value => $continue_if_disk_secure_erase_fails;
   }
 
   # Install package

releasenotes/notes/cleaning-erase-2f8b60ae729c86e4.yaml

@@ -0,0 +1,18 @@
+---
+features:
+    - |
+      Add new option ``ironic::conductor::cleaning_disk_erase`` for tweaking
+      how Ironic erases hard drive during cleaning. Possible values:
+
+      * *full* - erase all data on all hard drives using either ATA secure
+        erase or ``shred`` utility.
+
+      * *metadata* - erase only disk metadata on all hard drives, leaving
+        data intact.
+
+      * *none* - do not erase anything (only use it if you have other means
+        of erasing hard drives in place).
+
+    - Add new option ``ironic::conductor::continue_if_disk_secure_erase_fails``
+      which defines whether ironic should fall back to ``shred`` utility
+      if ATA secure erase is available, but fails in the process.

spec/classes/ironic_conductor_spec.rb

@@ -66,6 +66,7 @@ describe 'ironic::conductor' do
       is_expected.to contain_ironic_config('glance/swift_account').with(:value => '<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/cleaning_network_uuid').with(:value => '<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('neutron/provisioning_network_uuid').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('deploy/continue_if_disk_secure_erase_fails').with(:value => '<SERVICE DEFAULT>')
     end
 
     context 'when overriding parameters' do
@@ -77,7 +78,8 @@ describe 'ironic::conductor' do
           :swift_account                 => '00000000-0000-0000-0000-000000000000',
           :cleaning_network_uuid         => '00000000-0000-0000-0000-000000000000',
           :api_url                       => 'https://127.0.0.1:6385',
-          :provisioning_network_uuid     => '00000000-0000-0000-0000-000000000000'
+          :provisioning_network_uuid     => '00000000-0000-0000-0000-000000000000',
+          :cleaning_disk_erase           => 'metadata',
         )
       end
       it 'should replace default parameter with new value' do
@@ -88,6 +90,8 @@ describe 'ironic::conductor' do
         is_expected.to contain_ironic_config('glance/swift_account').with_value(p[:swift_account])
         is_expected.to contain_ironic_config('neutron/cleaning_network_uuid').with_value('00000000-0000-0000-0000-000000000000')
         is_expected.to contain_ironic_config('neutron/provisioning_network_uuid').with_value('00000000-0000-0000-0000-000000000000')
+        is_expected.to contain_ironic_config('deploy/erase_devices_priority').with_value(0)
+        is_expected.to contain_ironic_config('deploy/erase_devices_metadata_priority').with_value(10)
       end
     end