Skc baremetal environment #2002
Conversation
skc-baremetal-environment
…hpc-kayobe-config into skc-baremetal-environment
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive set of Ansible playbooks and configurations for managing baremetal environments with Kayobe, specifically for Ironic-based provisioning. It adds two new environments: stackhpc-baremetal for physical hardware and stackhpc-sushy-baremetal for virtualized testing using Sushy emulator. While the changes are extensive and well-structured, the review identified several critical and high-severity issues. These include security vulnerabilities like hardcoded passwords and password hashes, configuration errors such as duplicated sections in configuration files, and bugs in logic that could cause playbooks to fail. Additionally, there are multiple instances of inconsistent variable naming, missing URL schemes, and deviations from Ansible best practices that affect maintainability and robustness. Addressing these issues is crucial before merging.
| [neutron] | ||
| # Increase the neutron client timeout to allow for the slow management | ||
| # switches. | ||
| timeout = 300 | ||
| request_timeout = 300 | ||
|
|
||
| [glance] | ||
| # Retry image download at least once if failure | ||
| num_retries = 1 | ||
|
|
||
| [neutron] | ||
| inspection_network = "{{ inspection_net_name | default('inspect-net' )}}" |
There was a problem hiding this comment.
The [neutron] section is duplicated. This will cause the second instance to override the first, losing the timeout and request_timeout configurations. The sections should be merged.
[neutron]
# Increase the neutron client timeout to allow for the slow management
# switches.
timeout = 300
request_timeout = 300
inspection_network = "{{ inspection_net_name | default('inspect-net' )}}"
| ipa_build_dib_env_extra: | ||
| DIB_DEV_USER_USERNAME: devuser | ||
| DIB_DEV_USER_PWDLESS_SUDO: yes | ||
| DIB_DEV_USER_PASSWORD: yes |
There was a problem hiding this comment.
Setting DIB_DEV_USER_PASSWORD to yes will set the password for the devuser to the literal string "yes". This is highly insecure. If a password is required, it should be a strong, securely generated one (e.g., from Ansible Vault). If passwordless sudo via an SSH key is the intention, this variable should be removed.
DIB_DEV_USER_PASSWORD: "{{ devuser_password }}"| inspection_network = "{{ inspection_net_name | default('inspect-net' )}}" | ||
|
|
||
| [redfish] | ||
| kernel_append_params = nofb nomodeset vga=normal console=tty0 console=ttyS0,115200n8 ipa-insecure=1 {% if internal_net_ip %}ipa-ntp-server={{ internal_net_ip }}{% endif %} rootpwd="$$1$$Za/e7wKG$$aT8ydkGT514shSjwUZhFC/" |
There was a problem hiding this comment.
A hardcoded password hash for rootpwd is a significant security risk. The hash corresponds to the password 'password'. This should be replaced with a securely generated password, for example using a variable from Ansible Vault.
kernel_append_params = nofb nomodeset vga=normal console=tty0 console=ttyS0,115200n8 ipa-insecure=1 {% if internal_net_ip %}ipa-ntp-server={{ internal_net_ip }}{% endif %} rootpwd="{{ ipa_agent_root_password_hash }}"
|
|
||
| - name: Check BMC is up | ||
| ansible.builtin.uri: | ||
| url: "{{ ironic_driver_info['redfish_address'] + '/redfish/v1' }}" |
There was a problem hiding this comment.
The URL is missing a protocol scheme (e.g., http:// or https://). The ansible.builtin.uri module requires a full URL. Based on the use of Redfish, it should likely be https://.
url: "https://{{ ironic_driver_info['redfish_address'] }}/redfish/v1"|
|
||
| - name: Check BMC is up | ||
| ansible.builtin.uri: | ||
| url: "{{ ironic_driver_info['redfish_address'] + '/redfish/v1' }}" |
There was a problem hiding this comment.
The URL is missing a protocol scheme (e.g., http:// or https://). The ansible.builtin.uri module requires a full URL. Based on the use of Redfish, it should likely be https://.
url: "https://{{ ironic_driver_info['redfish_address'] }}/redfish/v1"| # - name: Wait 300 seconds for port 443 to become open | ||
| # ansible.builtin.wait_for: | ||
| # port: 443 | ||
| # host: "{{ ironic_redfish_address }}" | ||
| # delay: 20 | ||
| # timeout: 300 | ||
| # when: | ||
| # - kayobe_bmc_up == "" | ||
| # - ironic_redfish_username is defined |
There was a problem hiding this comment.
This block of code is commented out. If it's no longer needed, it should be removed to improve code clarity.
| Description=Virtual Redfish BMC service | ||
|
|
||
| [Service] | ||
| ExecStart=/opt/kayobe/venvs/sushy/bin/sushy-emulator -i 192.168.33.3 -p 34343 --config /etc/sushy/sushy.conf |
There was a problem hiding this comment.
The IP address and port for the sushy emulator are hardcoded. These should be defined as variables to make the service more flexible and configurable across different environments.
ExecStart=/opt/kayobe/venvs/sushy/bin/sushy-emulator -i {{ sushy_listen_ip }} -p {{ sushy_listen_port }} --config /etc/sushy/sushy.conf
| register: node_set | ||
| failed_when: | ||
| - node_set.rc != 0 | ||
| changed_when: true | ||
| when: kayobe_bmc_up == "" | ||
|
|
||
| - name: Try move from enroll to manageable | ||
| ansible.builtin.command: | ||
| cmd: | | ||
| {{ venv }}/bin/openstack baremetal node manage {{ inventory_hostname }} --wait 300 | ||
| register: node_set |
There was a problem hiding this comment.
The variable node_set is used to register the result of two different tasks. This is poor practice as it can lead to confusion and bugs where one task's result is unintentionally used by logic expecting the other's. Please use unique names for each registered variable.
|
|
||
| redifsh_address: "http://192.168.33.3:34343" | ||
| ironic_redfish_address: "192.168.33.3:34343" | ||
| ironic_flat_provisioning_network: provision-net No newline at end of file |
There was a problem hiding this comment.
This file is missing a newline at the end. It's a common convention and good practice to have one.
ironic_flat_provisioning_network: provision-net
| ansible.builtin.shell: | ||
| cmd: | | ||
| {{ venv }}/bin/openstack baremetal node create \ | ||
| --name {{ inventory_hostname }} \ | ||
| --driver {{ ironic_driver }} \ | ||
| {% for key, value in ironic_driver_info.items() %} | ||
| --driver-info {{ key }}={{ value }} \ | ||
| {% endfor %} | ||
| {% for key, value in ironic_properties.items() %} | ||
| --property {{ key }}={{ value }} \ | ||
| {% endfor %} | ||
| --resource-class {{ ironic_resource_class }} |
There was a problem hiding this comment.
The ansible.builtin.shell module is used here. Since the command does not use any shell-specific features like pipes or redirection, it is better practice to use ansible.builtin.command. This improves security and predictability. The > YAML operator can be used to format the multi-line command.
ansible.builtin.command:
cmd: >
{{ venv }}/bin/openstack baremetal node create
--name {{ inventory_hostname }}
--driver {{ ironic_driver }}
{% for key, value in ironic_driver_info.items() %}
--driver-info {{ key }}={{ value }}
{% endfor %}
{% for key, value in ironic_properties.items() %}
--property {{ key }}={{ value }}
{% endfor %}
--resource-class {{ ironic_resource_class }}
claudia-lola
temporarily deployed
to
Leafcloud
GitHub Actions
Inactive
claudia-lola
temporarily deployed
to
Leafcloud
GitHub Actions
Inactive
claudia-lola
temporarily deployed
to
Leafcloud
GitHub Actions
Inactive
claudia-lola
had a problem deploying
to
SMS Lab
GitHub Actions
Failure
claudia-lola
had a problem deploying
to
Leafcloud
GitHub Actions
Failure
claudia-lola
had a problem deploying
to
Leafcloud
GitHub Actions
Failure
claudia-lola
had a problem deploying
to
SMS Lab
GitHub Actions
Failure
claudia-lola
had a problem deploying
to
Leafcloud
GitHub Actions
Failure
claudia-lola
had a problem deploying
to
SMS Lab
GitHub Actions
Failure
No description provided.