ironic-python-agent

[RFE] Deprecate and remove setting IPMI credentials during inspection

Bug #1654318 reported by Dmitry Tantsur
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic Inspector
Fix Released
Wishlist
Dmitry Tantsur
Python client for Ironic Inspector
Fix Released
Wishlist
Dmitry Tantsur
ironic-python-agent
Fix Released
Wishlist
Dmitry Tantsur
puppet-ironic
Fix Released
Wishlist
Dmitry Tantsur

Bug Description

(copying from the mailing list discussion)

Since nearly its beginning, ironic-inspector has had a controversial feature: we allow a user to request changing IPMI credentials of the node after introspection. The new credentials are passed back from inspector to the ramdisk, and the ramdisk calls "ipmitool" to set them.

Now I realize that the feature has quite a few substantial drawbacks:
1. It's a special case in ironic-inspector. It's the only thing that runs after introspection, and it requires special state machine states and actions.
2. There is no way to signal errors back from the ramdisk. We can only poll the nodes to see if the new credentials match.
3. This is the only place where ironic-inspector modifies physical nodes (as opposed to modifying the ironic database). This feels like a violation of our goal.
4. It depends on ipmitool actually being able to update credentials from within the node without knowing the current ones. I'm not sure how wildly it's supported. I'm pretty sure some hardware does not support it.
5. It's not and never will be tested by any CI. It's not possible to test on VMs at all.
6. Due to its dangerous nature, this feature is hidden behind a configuration option, and is disabled by default.

The upside I see is that it may play nicely with node autodiscovery. I'm not sure they work together today, though. We didn't end up using this feature in our products, and I don't recall being approached by people using it.

I suggest deprecating this feature and removing it in Pike. The rough plan is as follows:

I. Ocata:
 * Deprecate the configuration option enabling this feature.
 * Create an API version that returns HTTP 400 when this feature is requested.
 * Deprecate the associated arguments in CLI.
 * Issue a deprecating warning in IPA when this feature is used.

II. Pike:
 * Remove the feature from IPA and ironic-inspector.
 * Remove the feature from CLI.

Tags: rfe-approved
Dmitry Tantsur (divius)
Changed in ironic-python-agent:
status: New → Triaged
importance: Undecided → Wishlist
assignee: nobody → Dmitry Tantsur (divius)
summary: - [RFE] Deprecate setting IPMI credentials
+ [RFE] Deprecate setting IPMI credentials during inspection
Jim Rollenhagen (jim-rollenhagen)
tags: added: rfe-approved
removed: rfe
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-inspector (master)

Fix proposed to branch: master
Review: https://review.openstack.org/417041

Changed in ironic-inspector:
status: Triaged → In Progress
Dmitry Tantsur (divius)
Changed in python-ironic-inspector-client:
status: New → Triaged
importance: Undecided → Wishlist
assignee: nobody → Dmitry Tantsur (divius)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-ironic-inspector-client (master)

Fix proposed to branch: master
Review: https://review.openstack.org/422788

Changed in python-ironic-inspector-client:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-ironic-inspector-client (master)

Reviewed: https://review.openstack.org/422788
Committed: https://git.openstack.org/cgit/openstack/python-ironic-inspector-client/commit/?id=f3163834fdc1f48b50cfcb51c05b4026c297d5d1
Submitter: Jenkins
Branch: master

commit f3163834fdc1f48b50cfcb51c05b4026c297d5d1
Author: Dmitry Tantsur <email address hidden>
Date: Thu Jan 19 19:08:10 2017 +0100

    Deprecate setting IPMI credentials

    This feature will be removed from ironic-inspector, so issue a warning
    on the client side as well.

    Change-Id: I5a09bcc63ee1d704fdda70d50d68dc8bfbb06d1b
    Partial-Bug: #1654318

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-inspector (master)

Reviewed: https://review.openstack.org/417041
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=635db52b4dd8672009ef031974896ee6a93fb913
Submitter: Jenkins
Branch: master

commit 635db52b4dd8672009ef031974896ee6a93fb913
Author: Dmitry Tantsur <email address hidden>
Date: Thu Jan 5 17:30:07 2017 +0100

    Deprecate setting IPMI credentials

    This feature is dangerous, barely maintained and not covered by any CI.
    As it was hidden behind a configuration option, we can remove it without
    breaking our API contract too much. This change deprecates the option,
    and create an API version with this feature already de-activated.

    Change-Id: I9e05c36b8c1194f4eeeb80c1f811e808854974c4
    Partial-Bug: #1654318

Dmitry Tantsur (divius)
Changed in puppet-ironic:
assignee: nobody → Dmitry Tantsur (divius)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/427198

Changed in puppet-ironic:
status: New → In Progress
Dmitry Tantsur (divius)
summary: - [RFE] Deprecate setting IPMI credentials during inspection
+ [RFE] Deprecate and remove setting IPMI credentials during inspection
Emilien Macchi (emilienm)
Changed in puppet-ironic:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ironic (master)

Reviewed: https://review.openstack.org/427198
Committed: https://git.openstack.org/cgit/openstack/puppet-ironic/commit/?id=c8ad960a4cb5608bbaf3f5c7cfb1c75b50a0f849
Submitter: Jenkins
Branch: master

commit c8ad960a4cb5608bbaf3f5c7cfb1c75b50a0f849
Author: Dmitry Tantsur <email address hidden>
Date: Tue Jan 31 14:16:43 2017 +0100

    Deprecate inspector::enable_setting_ipmi_credentials

    This option was deprecated upstream. Also reset its default to
    $::os_service_default (which is actually the same as previous value).

    Change-Id: If34b438ee31cf206729f7cf5b8fe230cafad38ae
    Partial-Bug: #1654318

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-inspector (master)

Fix proposed to branch: master
Review: https://review.openstack.org/466234

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-inspector (master)

Reviewed: https://review.openstack.org/466234
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=e05257035ca9dfa53c59ec5b7aa451dc061b452d
Submitter: Jenkins
Branch: master

commit e05257035ca9dfa53c59ec5b7aa451dc061b452d
Author: Dmitry Tantsur <email address hidden>
Date: Fri May 19 10:58:13 2017 +0200

    Completely remove support for setting IPMI credentials

    This experimental feature was deprecated in the Ocata release,
    as it was found unstable, untested and dangerous.

    API version is bumped to 1.12 to indicate this change to users.

    Change-Id: I1aad6ddfd03946edc19ae510accd6c8daf5fc268
    Closes-Bug: #1654318

Changed in ironic-inspector:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic-inspector 6.0.0

This issue was fixed in the openstack/ironic-inspector 6.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-python-agent (master)

Fix proposed to branch: master
Review: https://review.openstack.org/505194

Changed in ironic-python-agent:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/505195

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-python-agent (master)

Reviewed: https://review.openstack.org/505194
Committed: https://git.openstack.org/cgit/openstack/ironic-python-agent/commit/?id=f153a741e128501b4fe5ac30c763c670693766e5
Submitter: Jenkins
Branch: master

commit f153a741e128501b4fe5ac30c763c670693766e5
Author: Dmitry Tantsur <email address hidden>
Date: Tue Sep 19 14:01:56 2017 +0200

    Clean up deprecated items in the inspection code

    * Remove support for setting IPMI credentials (removed from inspector in Pike)
    * Stop sending the ipmi_address field (bmc_address is used instead since Pike)

    Change-Id: I1696041db62ba27e5d31e8481cb225a43d7e2a46
    Closes-Bug: #1654318

Changed in ironic-python-agent:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ironic (master)

Reviewed: https://review.openstack.org/505195
Committed: https://git.openstack.org/cgit/openstack/puppet-ironic/commit/?id=d86a38c7efa968c23e9342791ef77988f899ac66
Submitter: Jenkins
Branch: master

commit d86a38c7efa968c23e9342791ef77988f899ac66
Author: Dmitry Tantsur <email address hidden>
Date: Tue Sep 19 14:09:00 2017 +0200

    Removed deprecated support for setting IPMI credentials

    Closes-Bug: #1654318
    Change-Id: Idc613717cfbeabc173ef5853c08d97a273913c12

Changed in puppet-ironic:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic-python-agent 3.0.0

This issue was fixed in the openstack/ironic-python-agent 3.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-ironic 12.0.0

This issue was fixed in the openstack/puppet-ironic 12.0.0 release.

Dmitry Tantsur (divius)
Changed in python-ironic-inspector-client:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.