summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/source/deploy/cleaning.rst9
-rw-r--r--doc/source/deploy/install-guide.rst15
-rw-r--r--doc/source/drivers/ilo.rst146
-rw-r--r--ironic/api/middleware/parsable_error.py2
-rw-r--r--ironic/conductor/manager.py6
-rw-r--r--ironic/conductor/rpcapi.py16
-rw-r--r--ironic/tests/conductor/test_manager.py16
-rw-r--r--ironic/tests/conductor/test_rpcapi.py4
-rw-r--r--ironic/tests/dhcp/test_factory.py2
9 files changed, 168 insertions, 48 deletions
diff --git a/doc/source/deploy/cleaning.rst b/doc/source/deploy/cleaning.rst
index 8897bf46b..0f1a42eda 100644
--- a/doc/source/deploy/cleaning.rst
+++ b/doc/source/deploy/cleaning.rst
@@ -34,6 +34,7 @@ This will enable the default set of steps, based on your hardware and Ironic
drivers. If you're using an agent_* driver, this includes, by default, erasing
all of the previous tenant's data.
+.. _InbandvsOutOfBandCleaning:
In-Band vs Out-of-Band
======================
@@ -58,6 +59,8 @@ Out-of-band are actions performed by your management controller, such as IPMI,
iLO, or DRAC. Out-of-band steps will be performed by Ironic using a Power or
Management driver. Which steps are performed depends on the driver and hardware.
+For Out-of-Band cleaning operations supported by iLO drivers, refer to
+:ref:`ilo_node_cleaning`.
FAQ
===
@@ -85,6 +88,12 @@ to disable erase_devices, you'd use the following config::
[agent]
agent_erase_devices_priority=0
+To enable/disable the in-band disk erase using ``agent_ilo`` driver, use the
+following config::
+
+ [ilo]
+ clean_priority_erase_devices=0
+
What cleaning step is running?
------------------------------
diff --git a/doc/source/deploy/install-guide.rst b/doc/source/deploy/install-guide.rst
index 15dd807ea..9043ad69b 100644
--- a/doc/source/deploy/install-guide.rst
+++ b/doc/source/deploy/install-guide.rst
@@ -701,21 +701,6 @@ steps on the Ironic conductor node to configure PXE UEFI environment.
ironic node-update <node-uuid> add properties/capabilities='boot_mode:uefi'
-#. For deploying signed images, update the Ironic node with ``secure_boot``
- capability in node's properties.
- field::
-
- ironic node-update <node-uuid> add properties/capabilities='secure_boot:true'
-
-#. Ensure the public key of the signed image is loaded into baremetal to deploy
- signed images.
- For HP Proliant Gen9 servers, one can enroll public key using iLO System
- Utilities UI. Please refer to section ``Accessing Secure Boot options`` in
- HP UEFI System Utilities User Guide http://www.hp.com/ctg/Manual/c04398276.pdf.
- Also, one can refer to white paper on Secure Boot on Linux for HP Proliant
- Servers at http://h20195.www2.hp.com/V2/getpdf.aspx/4AA5-4496ENW.pdf for
- more details.
-
#. Make sure that bare metal node is configured to boot in UEFI boot mode and
boot device is set to network/pxe.
diff --git a/doc/source/drivers/ilo.rst b/doc/source/drivers/ilo.rst
index 0cfe092ed..3ea0c1929 100644
--- a/doc/source/drivers/ilo.rst
+++ b/doc/source/drivers/ilo.rst
@@ -80,9 +80,10 @@ This driver should work on HP Proliant Gen8 Servers and above with iLO 4.
It has been tested with the following servers:
* ProLiant DL380e Gen8
-* ProLiant DL380e Gen8
* ProLiant DL580 Gen8 UEFI
* ProLiant DL180 Gen9 UEFI
+* ProLiant DL380 Gen9 UEFI
+* ProLiant DL580 Gen9 UEFI
For more up-to-date information on server platform support info, refer
iLO driver wiki [6]_.
@@ -95,11 +96,13 @@ Features
by the nova flavor's extra spec.
* Always boot from network using Virtual Media.
* UEFI Boot Support
+* UEFI Secure Boot Support
* Passing authentication token via secure, encrypted management network
(Virtual Media). Provisioning is done using iSCSI over data network
(like PXE driver), so this driver has the benefit of security
enhancement with the same performance. Hence it segregates management info
from data channel.
+* Support for Out-Of-Band cleaning operations.
* Remote Console
* HW Sensors
* Works well for machines with resource constraints (lesser amount of memory).
@@ -247,7 +250,15 @@ node::
Boot modes
~~~~~~~~~~
-Refer boot_mode_support_ for more information.
+Refer to `Boot mode support`_ section for more information.
+
+UEFI Secure Boot
+~~~~~~~~~~~~~~~~
+Refer to `UEFI Secure Boot support`_ section for more information.
+
+Node cleaning
+~~~~~~~~~~~~~
+Refer to ilo_node_cleaning_ for more information.
agent_ilo driver
^^^^^^^^^^^^^^^^
@@ -271,7 +282,8 @@ This driver should work on HP Proliant Gen8 Servers and above with iLO 4.
It has been tested with the following servers:
* ProLiant DL380e Gen8
-* ProLiant DL380e Gen8
+* ProLiant DL380 Gen9 UEFI
+* ProLiant DL580 Gen9 UEFI
This driver supports only Gen 8 Class 0 systems (BIOS only). For
more up-to-date information, check the iLO driver wiki [6]_.
@@ -279,11 +291,16 @@ more up-to-date information, check the iLO driver wiki [6]_.
Features
~~~~~~~~
* PXE-less deploy with Virtual Media using Ironic Python Agent.
+* Support for out-of-band cleaning operations.
* Remote Console
* HW Sensors
* IPA runs on the baremetal node and pulls the image directly from Swift.
* IPA deployed instances always boots from local disk.
* Segregates management info from data channel.
+* UEFI Boot Support
+* UEFI Secure Boot Support
+* Support to use default in-band cleaning operations supported by
+ Ironic Python Agent. For more details, see :ref:`InbandvsOutOfBandCleaning`.
Requirements
~~~~~~~~~~~~
@@ -421,6 +438,18 @@ node::
ironic node-create -d agent_ilo -i ilo_address=<ilo-ip-address> -i ilo_username=<ilo-username> -i ilo_password=<ilo-password> -i ilo_deploy_iso=<glance-uuid-of-deploy-iso>
+Boot modes
+~~~~~~~~~~
+Refer to `Boot mode support`_ section for more information.
+
+UEFI Secure Boot
+~~~~~~~~~~~~~~~~
+Refer to `UEFI Secure Boot support`_ section for more information.
+
+Node Cleaning
+~~~~~~~~~~~~~
+Refer to ilo_node_cleaning_ for more information.
+
pxe_ilo driver
^^^^^^^^^^^^^^
@@ -456,6 +485,7 @@ Features
* Automatic detection of current boot mode.
* Automatic setting of the required boot mode if UEFI boot mode is requested
by the nova flavor's extra spec.
+* Support for Out-Of-Band cleaning operations.
Requirements
~~~~~~~~~~~~
@@ -510,13 +540,15 @@ node::
Boot modes
~~~~~~~~~~
-Refer boot_mode_support_ for more information.
+Refer to `Boot mode support`_ section for more information.
+
+Node Cleaning
+~~~~~~~~~~~~~
+Refer to ilo_node_cleaning_ for more information.
Functionalities across drivers
==============================
-.. _boot_mode_support:
-
Boot mode support
^^^^^^^^^^^^^^^^^
The following drivers support automatic detection and setting of boot
@@ -524,6 +556,7 @@ mode (Legacy BIOS or UEFI).
* ``pxe_ilo``
* ``iscsi_ilo``
+* ``agent_ilo``
The boot modes can be configured in Ironic in the following way:
@@ -570,6 +603,104 @@ diskimage-builder command to build the image. For example::
disk-image-create ubuntu baremetal iso
+UEFI Secure Boot support
+^^^^^^^^^^^^^^^^^^^^^^^^
+The following drivers support UEFI secure boot deploy:
+
+* ``iscsi_ilo``
+* ``agent_ilo``
+
+The UEFI secure boot mode can be configured in Ironic by adding
+``secure_boot`` parameter in the ``capabilities`` parameter within
+``properties`` field of an Ironic node.
+
+``secure_boot`` is a boolean parameter and takes value as ``true`` or
+``false``.
+
+To enable ``secure_boot`` on a node add it to ``capabilities`` as below::
+
+ ironic node-update <node-uuid> add properties/capabilities='secure_boot:true'
+
+Nodes having ``secure_boot`` set to ``true`` may be requested by adding an
+``extra_spec`` to the Nova flavor::
+
+ nova flavor-key ironic-test-3 set capabilities:secure_boot="true"
+ nova boot --flavor ironic-test-3 --image test-image instance-1
+
+If ``capabilities`` is used in ``extra_spec`` as above, Nova scheduler
+(``ComputeCapabilitiesFilter``) will match only Ironic nodes which have
+the ``secure_boot`` set appropriately in ``properties/capabilities``. It will
+filter out rest of the nodes.
+
+The above facility for matching in Nova can be used in heterogeneous
+environments where there is a mix of machines supporting and not supporting
+UEFI secure boot, and operator wants to provide a choice to the user
+regarding secure boot. If the flavor doesn't contain ``secure_boot`` then
+Nova scheduler will not consider secure boot mode as a placement criteria,
+hence user may get a secure boot capable machine that matches with user
+specified flavors but deployment would not use its secure boot capability.
+Secure boot deploy would happen only when it is explicitly specified through
+flavor.
+
+Ensure the public key of the signed image is loaded into baremetal to deploy
+signed images.
+For HP Proliant Gen9 servers, one can enroll public key using iLO System
+Utilities UI. Please refer to section ``Accessing Secure Boot options`` in
+HP UEFI System Utilities User Guide. [7]_
+One can also refer to white paper on Secure Boot for Linux on HP Proliant
+servers for additional details. [8]_
+
+.. _ilo_node_cleaning:
+
+Node Cleaning
+^^^^^^^^^^^^^
+The following iLO drivers support node cleaning -
+
+* ``pxe_ilo``
+* ``iscsi_ilo``
+* ``agent_ilo``
+
+Supported Cleaning Operations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* The cleaning operations supported are:
+
+ -``reset_ilo``:
+ Resets the iLO. By default, enabled with priority 1.
+ -``reset_bios_to_default``:
+ Resets BIOS Settings to default. By default, enabled with priority 10.
+ This clean step is supported only on Gen9 and above servers.
+ -``reset_secure_boot_keys_to_default``:
+ Resets secure boot keys to manufacturer's defaults. This step is supported
+ only on Gen9 and above servers. By default, enabled with priority 20 .
+ -``reset_ilo_credential``:
+ Resets the iLO password, if 'ilo_change_password' is specified as part of
+ node's driver_info. By default, enabled with priority 30.
+ -``clear_secure_boot_keys``:
+ Clears all secure boot keys. This step is supported only on Gen9 and above
+ servers. By default, this step is disabled.
+
+* For in-band cleaning operations supported by ``agent_ilo`` driver, see
+ :ref:`InbandvsOutOfBandCleaning`.
+
+* All the cleaning steps have an explicit configuration option for priority.
+ In order to disable or change the priority of the clean steps, respective
+ configuration option for priority should be updated in ironic.conf.
+
+* Updating clean step priority to 0, will disable that particular clean step
+ and will not run during cleaning.
+
+* Configuration Options for the clean steps are listed under [ilo] section in
+ ironic.conf ::
+
+ - clean_priority_reset_ilo=1
+ - clean_priority_reset_bios_to_default=10
+ - clean_priority_reset_secure_boot_keys_to_default=20
+ - clean_priority_clear_secure_boot_keys=0
+ - clean_priority_reset_ilo_credential=30
+ - clean_priority_erase_devices=10
+
+For more information on node cleaning, see [9]_.
References
==========
@@ -579,4 +710,7 @@ References
.. [4] http://docs.openstack.org/developer/glance/configuring.html#configuring-the-swift-storage-backend
.. [5] Ironic Python Agent - https://github.com/openstack/ironic-python-agent
.. [6] https://wiki.openstack.org/wiki/Ironic/Drivers/iLODrivers
+.. [7] HP UEFI System Utilities User Guide - http://www.hp.com/ctg/Manual/c04398276.pdf
+.. [8] Secure Boot for Linux on HP Proliant servers http://h20195.www2.hp.com/V2/getpdf.aspx/4AA5-4496ENW.pdf
+.. [9] http://docs.openstack.org/developer/ironic/deploy/cleaning.html
diff --git a/ironic/api/middleware/parsable_error.py b/ironic/api/middleware/parsable_error.py
index 1b86e14ff..42e2d6875 100644
--- a/ironic/api/middleware/parsable_error.py
+++ b/ironic/api/middleware/parsable_error.py
@@ -85,7 +85,7 @@ class ParsableErrorMiddleware(object):
else:
body = [json.dumps({'error_message': '\n'.join(app_iter)})]
state['headers'].append(('Content-Type', 'application/json'))
- state['headers'].append(('Content-Length', len(body[0])))
+ state['headers'].append(('Content-Length', str(len(body[0]))))
else:
body = app_iter
return body
diff --git a/ironic/conductor/manager.py b/ironic/conductor/manager.py
index 3322741ab..c2b75bca0 100644
--- a/ironic/conductor/manager.py
+++ b/ironic/conductor/manager.py
@@ -204,7 +204,7 @@ class ConductorManager(periodic_task.PeriodicTasks):
"""Ironic Conductor manager main class."""
# NOTE(rloo): This must be in sync with rpcapi.ConductorAPI's.
- RPC_API_VERSION = '1.26'
+ RPC_API_VERSION = '1.27'
target = messaging.Target(version=RPC_API_VERSION)
@@ -824,10 +824,6 @@ class ConductorManager(periodic_task.PeriodicTasks):
state=node.provision_state)
self._do_node_clean(task)
- @messaging.expected_exceptions(exception.NoFreeConductorWorker,
- exception.NodeLocked,
- exception.InvalidStateRequested,
- exception.NodeNotFound)
def continue_node_clean(self, context, node_id):
"""RPC method to continue cleaning a node.
diff --git a/ironic/conductor/rpcapi.py b/ironic/conductor/rpcapi.py
index 06c7d434c..1ca0db5ee 100644
--- a/ironic/conductor/rpcapi.py
+++ b/ironic/conductor/rpcapi.py
@@ -69,11 +69,12 @@ class ConductorAPI(object):
| 1.24 - Added inspect_hardware method
| 1.25 - Added destroy_port
| 1.26 - Added continue_node_clean
+ | 1.27 - Convert continue_node_clean to cast
"""
# NOTE(rloo): This must be in sync with manager.ConductorManager's.
- RPC_API_VERSION = '1.26'
+ RPC_API_VERSION = '1.27'
def __init__(self, topic=None):
super(ConductorAPI, self).__init__()
@@ -329,18 +330,15 @@ class ConductorAPI(object):
def continue_node_clean(self, context, node_id, topic=None):
"""Signal to conductor service to start the next cleaning action.
+ NOTE(JoshNang) this is an RPC cast, there will be no response or
+ exception raised by the conductor for this RPC.
+
:param context: request context.
:param node_id: node id or uuid.
:param topic: RPC topic. Defaults to self.topic.
- :raises: NoFreeConductorWorker when there is no free worker to start
- async task.
- :raises: InvalidStateRequested if the requested action can not
- be performed.
- :raises: NodeLocked if node is locked by another conductor.
- :raises: NodeNotFound if the node no longer appears in the database
"""
- cctxt = self.client.prepare(topic=topic or self.topic, version='1.26')
- return cctxt.call(context, 'continue_node_clean',
+ cctxt = self.client.prepare(topic=topic or self.topic, version='1.27')
+ return cctxt.cast(context, 'continue_node_clean',
node_id=node_id)
def validate_driver_interfaces(self, context, node_id, topic=None):
diff --git a/ironic/tests/conductor/test_manager.py b/ironic/tests/conductor/test_manager.py
index 47a6e77f7..df0078712 100644
--- a/ironic/tests/conductor/test_manager.py
+++ b/ironic/tests/conductor/test_manager.py
@@ -1606,11 +1606,9 @@ class DoNodeCleanTestCase(_ServiceSetUpMixin, tests_db_base.DbTestCase):
mock_spawn.side_effect = exception.NoFreeConductorWorker()
- exc = self.assertRaises(messaging.rpc.ExpectedException,
- self.service.continue_node_clean,
- self.context, node.uuid)
- # Compare true exception hidden by @messaging.expected_exceptions
- self.assertEqual(exception.NoFreeConductorWorker, exc.exc_info[0])
+ self.assertRaises(exception.NoFreeConductorWorker,
+ self.service.continue_node_clean,
+ self.context, node.uuid)
self.service._worker_pool.waitall()
node.refresh()
@@ -1630,11 +1628,9 @@ class DoNodeCleanTestCase(_ServiceSetUpMixin, tests_db_base.DbTestCase):
last_error=None)
self._start_service()
- exc = self.assertRaises(messaging.rpc.ExpectedException,
- self.service.continue_node_clean,
- self.context, node.uuid)
- # Compare true exception hidden by @messaging.expected_exceptions
- self.assertEqual(exception.InvalidStateRequested, exc.exc_info[0])
+ self.assertRaises(exception.InvalidStateRequested,
+ self.service.continue_node_clean,
+ self.context, node.uuid)
self.service._worker_pool.waitall()
node.refresh()
diff --git a/ironic/tests/conductor/test_rpcapi.py b/ironic/tests/conductor/test_rpcapi.py
index 1ec18db3f..e7d27627c 100644
--- a/ironic/tests/conductor/test_rpcapi.py
+++ b/ironic/tests/conductor/test_rpcapi.py
@@ -291,6 +291,6 @@ class RPCAPITestCase(base.DbTestCase):
def test_continue_node_clean(self):
self._test_rpcapi('continue_node_clean',
- 'call',
- version='1.26',
+ 'cast',
+ version='1.27',
node_id=self.fake_node['uuid'])
diff --git a/ironic/tests/dhcp/test_factory.py b/ironic/tests/dhcp/test_factory.py
index 850479f8f..798beb42a 100644
--- a/ironic/tests/dhcp/test_factory.py
+++ b/ironic/tests/dhcp/test_factory.py
@@ -34,6 +34,8 @@ class TestDHCPFactory(base.TestCase):
url_timeout=30,
group='neutron')
dhcp_factory.DHCPFactory._dhcp_provider = None
+ self.addCleanup(setattr, dhcp_factory.DHCPFactory,
+ '_dhcp_provider', None)
def test_default_dhcp(self):
# dhcp provider should default to neutron
View Lorry Controller Status