Missing validation for bootstrap_address in restore_values

Bug #2044551 reported by Raphael Lima
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Raphael Lima

Bug Description

Brief Description
-----------------
When providing the bootstrap_address in restore_values, there's no validation if the provided value have a valid format. Right now, the address is added in inventory exactly as provided and will fail when running the Ansible playbook.

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
Perform subcloud backup (dcmanager subcloud-backup create --subcloud <subcloud_name> --sysadmin-password <password>)
Create restore_values.yml with a bootstrap_address with invalid format (like 10.10.10.22.22)
Perform subcloud restore with the file (dcmanager subcloud-backup restore --subcloud <subcloud_name> --restore-values <restore_values.yml> --sysadmin-password <password>)

Expected Behavior
------------------
The dcmanager api rejects the request before calling the playbook.

Actual Behavior
----------------
The playbook starts executing.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
DC with at least 1 subcloud

Last Pass
---------
NA

Timestamp/Logs
--------------
Created restore_values.yml:

bootstrap_address:
  subcloud2: 10.10.20.22.22

Ansible log for the subcloud:

2023-11-15-22:28:14 Executing playbook command: ['ansible-playbook', '/usr/share/ansible/stx-ansible/playbooks/restore_subcloud_backup.yml', '-i', '/opt/dc-vault/ansible/subcloud2_inventory.yml', '--limit', 'subcloud2', '-e', 'subcloud_bnr_overrides=/opt/dc-vault/ansible/subcloud2_backup_restore_values.yml']PLAY [all] *********************************************************************TASK [common/remote-execution-precheck : Fail if playbook overrides parameter is not specified] ***
Wednesday 15 November 2023  22:28:14 +0000 (0:00:00.021)       0:00:00.021 ****
skipping: [subcloud2]TASK [common/remote-execution-precheck : Load input parameters for operation] ***
Wednesday 15 November 2023  22:28:14 +0000 (0:00:00.023)       0:00:00.045 ****
ok: [subcloud2]TASK [common/remote-execution-precheck : Retrieve the distributed cloud role] ***
Wednesday 15 November 2023  22:28:14 +0000 (0:00:00.026)       0:00:00.071 ****
[DEPRECATION WARNING]: Distribution debian 11 on host subcloud2 should use
/usr/bin/python3, but is using /usr/bin/python for backward compatibility with
prior Ansible releases. A future Ansible release will default to using the
discovered platform python for this host. See https://docs.ansible.com/ansible/
2.10/reference_appendices/interpreter_discovery.html for more information. This
 feature will be removed in version 2.12. Deprecation warnings can be disabled
by setting deprecation_warnings=False in ansible.cfg.
changed: [subcloud2]TASK [common/remote-execution-precheck : Fail if the playbook is not run on the system controller] ***
Wednesday 15 November 2023  22:28:14 +0000 (0:00:00.188)       0:00:00.260 ****
skipping: [subcloud2]TASK [common/prepare-env : stat] ***********************************************
Wednesday 15 November 2023  22:28:14 +0000 (0:00:00.047)       0:00:00.307 ****
ok: [subcloud2] => (item=/root/secrets.yml)
ok: [subcloud2] => (item=/root/subcloud2_secrets.yml)
ok: [subcloud2] => (item=/root/site.yml)
ok: [subcloud2] => (item=/root/subcloud2.yml)TASK [common/prepare-env : include_vars] ***************************************
Wednesday 15 November 2023  22:28:15 +0000 (0:00:00.559)       0:00:00.866 ****
skipping: [subcloud2] => (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': '/root/secrets.yml', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/root/secrets.yml', 'ansible_loop_var': 'item'})
skipping: [subcloud2] => (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': '/root/subcloud2_secrets.yml', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/root/subcloud2_secrets.yml', 'ansible_loop_var': 'item'})
skipping: [subcloud2] => (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': '/root/site.yml', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/root/site.yml', 'ansible_loop_var': 'item'})
skipping: [subcloud2] => (item={'changed': False, 'stat': {'exists': False}, 'invocation': {'module_args': {'path': '/root/subcloud2.yml', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/root/subcloud2.yml', 'ansible_loop_var': 'item'})TASK [common/prepare-env : Set SSH port] ***************************************
Wednesday 15 November 2023  22:28:15 +0000 (0:00:00.025)       0:00:00.891 ****
ok: [subcloud2]TASK [common/prepare-env : Format the ansible host if it is an IP address] *****
Wednesday 15 November 2023  22:28:15 +0000 (0:00:00.015)       0:00:00.907 ****
skipping: [subcloud2]TASK [common/prepare-env : Check connectivity] *********************************
Wednesday 15 November 2023  22:28:15 +0000 (0:00:00.024)       0:00:00.931 ****
fatal: [subcloud2]: FAILED! => changed=false
  elapsed: 10
  msg: Timeout when waiting for 10.10.20.22.22:22

PLAY RECAP *********************************************************************
subcloud2                  : ok=4    changed=1    unreachable=0    failed=1    skipped=4    rescued=0    ignored=0Wednesday 15 November 2023  22:28:25 +0000 (0:00:10.340)       0:00:11.271 ****
===============================================================================
common/prepare-env : Check connectivity -------------------------------- 10.34s
common/prepare-env : stat ----------------------------------------------- 0.56s
common/remote-execution-precheck : Retrieve the distributed cloud role --- 0.19s
common/remote-execution-precheck : Fail if the playbook is not run on the system controller --- 0.05s
common/remote-execution-precheck : Load input parameters for operation --- 0.03s
common/prepare-env : include_vars --------------------------------------- 0.03s
common/prepare-env : Format the ansible host if it is an IP address ----- 0.02s
common/remote-execution-precheck : Fail if playbook overrides parameter is not specified --- 0.02s
common/prepare-env : Set SSH port --------------------------------------- 0.02s

Test Activity
-------------
Developer Testing

Workaround
----------
NA

Raphael Lima (r-lima)
information type: Public → Public Security
information type: Public Security → Public
Changed in starlingx:
status: New → In Progress
assignee: nobody → Raphael Lima (r-lima)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to distcloud (master)

Reviewed: https://review.opendev.org/c/starlingx/distcloud/+/901911
Committed: https://opendev.org/starlingx/distcloud/commit/4141cc8b160d1208d6aa3a6717963f4a588a92d1
Submitter: "Zuul (22348)"
Branch: master

commit 4141cc8b160d1208d6aa3a6717963f4a588a92d1
Author: rlima <email address hidden>
Date: Mon Nov 27 09:07:23 2023 -0300

    Missing validation for bootstrap_address in restore_values

    When providing the bootstrap_address in restore_values, there wasn't
    a validation to ensure the provided value had a valid format. Right
    now, the address is added in inventory exactly as provided and will
    fail when running the Ansible playbook.

    This review includes a validation step that evaluates the IP address
    value and raises an exception in case it isn't valid, aborting the
    process for the invalid subcloud.

    Test plan:
      All test cases were performed after a subcloud was deployed and
      had its backup taken.
      Success cases:
      - PASS: Run 'dcmanager subcloud-backup restore' for a subcloud
      using the restore_values.yml file with a valid IP address. The
      subcloud was successfully restored.
      - PASS: Run 'dcmanager subcloud-backup restore' for a subcloud
      group using the restore_values.yml file with a valid IP address
      for a subcloud and an invalid one for another. The subcloud
      with the valid IP address was successfully restored.

      Failure cases:
      - PASS: Run 'dcmanager subcloud-backup restore' for a subcloud
      using the restore_values.yml file with an invalid IP address.
      An error appears in the console stating that the IP address
      is invalid for the specified subcloud.
      - PASS: Run 'dcmanager subcloud-backup restore' for a subcloud
      group using the restore_values.yml file with a valid IP address
      for a subcloud and an invalid one for another. The subcloud with
      the invalid IP address wasn't restored.

    Closes-Bug: 2044551

    Change-Id: Ie9f937db1185aa242112efba17741d97707181f3
    Signed-off-by: rlima <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.9.0 stx.distcloud stx.update
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.