[RFE] Deprecate and remove setting IPMI credentials during inspection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic Inspector |
Fix Released
|
Wishlist
|
Dmitry Tantsur | ||
Python client for Ironic Inspector |
Fix Released
|
Wishlist
|
Dmitry Tantsur | ||
ironic-python-agent |
Fix Released
|
Wishlist
|
Dmitry Tantsur | ||
puppet-ironic |
Fix Released
|
Wishlist
|
Dmitry Tantsur |
Bug Description
(copying from the mailing list discussion)
Since nearly its beginning, ironic-inspector has had a controversial feature: we allow a user to request changing IPMI credentials of the node after introspection. The new credentials are passed back from inspector to the ramdisk, and the ramdisk calls "ipmitool" to set them.
Now I realize that the feature has quite a few substantial drawbacks:
1. It's a special case in ironic-inspector. It's the only thing that runs after introspection, and it requires special state machine states and actions.
2. There is no way to signal errors back from the ramdisk. We can only poll the nodes to see if the new credentials match.
3. This is the only place where ironic-inspector modifies physical nodes (as opposed to modifying the ironic database). This feels like a violation of our goal.
4. It depends on ipmitool actually being able to update credentials from within the node without knowing the current ones. I'm not sure how wildly it's supported. I'm pretty sure some hardware does not support it.
5. It's not and never will be tested by any CI. It's not possible to test on VMs at all.
6. Due to its dangerous nature, this feature is hidden behind a configuration option, and is disabled by default.
The upside I see is that it may play nicely with node autodiscovery. I'm not sure they work together today, though. We didn't end up using this feature in our products, and I don't recall being approached by people using it.
I suggest deprecating this feature and removing it in Pike. The rough plan is as follows:
I. Ocata:
* Deprecate the configuration option enabling this feature.
* Create an API version that returns HTTP 400 when this feature is requested.
* Deprecate the associated arguments in CLI.
* Issue a deprecating warning in IPA when this feature is used.
II. Pike:
* Remove the feature from IPA and ironic-inspector.
* Remove the feature from CLI.
Changed in ironic-python-agent: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
assignee: | nobody → Dmitry Tantsur (divius) |
summary: |
- [RFE] Deprecate setting IPMI credentials + [RFE] Deprecate setting IPMI credentials during inspection |
tags: |
added: rfe-approved removed: rfe |
Changed in python-ironic-inspector-client: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
assignee: | nobody → Dmitry Tantsur (divius) |
Changed in puppet-ironic: | |
assignee: | nobody → Dmitry Tantsur (divius) |
summary: |
- [RFE] Deprecate setting IPMI credentials during inspection + [RFE] Deprecate and remove setting IPMI credentials during inspection |
Changed in puppet-ironic: | |
importance: | Undecided → Wishlist |
Changed in python-ironic-inspector-client: | |
status: | In Progress → Fix Released |
Fix proposed to branch: master /review. openstack. org/417041
Review: https:/