Deprecate instance network boot

It's insecure and not very popular. See this post for details:
http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026224.html

Change-Id: I9a2df47bb8c08cc991b3c615a9eb533aba3171f4

9 files changed, 40 insertions, 33 deletions

diff --git a/doc/source/admin/adoption.rst b/doc/source/admin/adoption.rst
index ba404fd0b..570b36072 100644
--- a/doc/source/admin/adoption.rst
+++ b/doc/source/admin/adoption.rst
@@ -51,10 +51,7 @@ The adoption process makes no changes to the physical node, with the
 exception of operator supplied configurations where virtual media is
 used to boot the node under normal circumstances. An operator should
 ensure that any supplied configuration defining the node is sufficient
-for the continued operation of the node moving forward. Such as, if the
-node is configured to network boot via instance_info/boot_option="netboot",
-then appropriate driver specific node configuration should be set to
-support this capability.
+for the continued operation of the node moving forward.
 
 Possible Risk
 =============
diff --git a/doc/source/admin/drivers/ilo.rst b/doc/source/admin/drivers/ilo.rst
index 40bb06735..4ffa8bcfb 100644
--- a/doc/source/admin/drivers/ilo.rst
+++ b/doc/source/admin/drivers/ilo.rst
@@ -1084,6 +1084,11 @@ intermediate images on conductor as described in
 Deploy Process
 ==============
 
+.. note::
+   Network boot is deprecated and will be removed in the Zed release.
+
+.. TODO(dtantsur): review these diagrams to exclude netboot.
+
 Netboot with glance and swift
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/doc/source/admin/drivers/snmp.rst b/doc/source/admin/drivers/snmp.rst
index 7a91bc126..1c402ab9b 100644
--- a/doc/source/admin/drivers/snmp.rst
+++ b/doc/source/admin/drivers/snmp.rst
@@ -77,30 +77,20 @@ Enabling the SNMP Hardware Type
     enabled_management_interfaces = noop
     enabled_power_interfaces = snmp
 
-#. To set the default boot option, update ``default_boot_option`` in
+#. To enable the network boot fallback, update ``enable_netboot_fallback`` in
    ``ironic.conf``:
 
    .. code-block:: ini
 
-    [DEFAULT]
-    default_boot_option = netboot
-
-   .. note::
-      Currently the default value of ``default_boot_option`` is ``netboot``
-      but it will be changed to ``local`` in the future. It is recommended
-      to set an explicit value for this option.
+    [pxe]
+    enable_netboot_fallback = True
 
    .. note::
-      It is important to set ``boot_option`` to ``netboot`` as SNMP hardware
-      type does not support setting of boot devices. One can also configure
-      a node to boot using ``netboot`` by setting its ``capabilities`` and
-      updating Nova flavor as described below:
-
-      .. code-block:: console
-
-          baremetal node set --property capabilities="boot_option:netboot" <node>
-          openstack flavor set --property "capabilities:boot_option"="netboot" ironic-flavor
-
+      It is important to enable the fallback as SNMP hardware type does not
+      support setting of boot devices. When booting in legacy (BIOS) mode,
+      the generated network booting artifact will force booting from local
+      disk. In UEFI mode, Ironic will configure the boot order using UEFI
+      variables.
 
 #. Restart the Ironic conductor service.
 
@@ -165,5 +155,4 @@ type:
     --driver snmp --driver-info snmp_driver=<pdu_manufacturer> \
     --driver-info snmp_address=<ip_address> \
     --driver-info snmp_outlet=<outlet_index> \
-    --driver-info snmp_community=<community_string> \
-    --properties capabilities=boot_option:netboot
+    --driver-info snmp_community=<community_string>
diff --git a/doc/source/admin/report.txt b/doc/source/admin/report.txt
index e098e5aef..1f1fc4d8e 100644
--- a/doc/source/admin/report.txt
+++ b/doc/source/admin/report.txt
@@ -321,7 +321,7 @@ default:
 
 deploy:
   continue_if_disk_secure_erase_fails = False
-  default_boot_option = netboot
+  default_boot_option = local
   erase_devices_metadata_priority = None
   erase_devices_priority = 0
   http_root = /opt/stack/data/ironic/httpboot
diff --git a/ironic/conf/deploy.py b/ironic/conf/deploy.py
index 32f53644a..7a7fb37d7 100644
--- a/ironic/conf/deploy.py
+++ b/ironic/conf/deploy.py
@@ -128,7 +128,10 @@ opts = [
                help=_('Default boot option to use when no boot option is '
                       'requested in node\'s driver_info. Defaults to '
                       '"local". Prior to the Ussuri release, the default '
-                      'was "netboot".')),
+                      'was "netboot".'),
+               deprecated_for_removal=True,
+               deprecated_reason=_('Support for network boot will be removed '
+                                   'after the Yoga release.')),
     cfg.StrOpt('default_boot_mode',
                choices=[(boot_modes.UEFI, _('UEFI boot mode')),
                         (boot_modes.LEGACY_BIOS, _('Legacy BIOS boot mode'))],
diff --git a/ironic/drivers/modules/agent.py b/ironic/drivers/modules/agent.py
index 2dcd8a819..c171f81b1 100644
--- a/ironic/drivers/modules/agent.py
+++ b/ironic/drivers/modules/agent.py
@@ -505,6 +505,11 @@ class AgentDeploy(CustomAgentDeploy):
         validate_http_provisioning_configuration(node)
         validate_image_proxies(node)
 
+        capabilities = utils.parse_instance_info_capabilities(node)
+        if 'boot_option' in capabilities:
+            LOG.warning("The boot_option capability has been deprecated, "
+                        "please unset it for node %s", node.uuid)
+
     @METRICS.timer('AgentDeployMixin.write_image')
     @base.deploy_step(priority=80)
     @task_manager.require_exclusive_lock
diff --git a/ironic/drivers/modules/deploy_utils.py b/ironic/drivers/modules/deploy_utils.py
index e1aabb500..d09a616ea 100644
--- a/ironic/drivers/modules/deploy_utils.py
+++ b/ironic/drivers/modules/deploy_utils.py
@@ -604,12 +604,6 @@ def validate_image_properties(task, deploy_info):
             "%(properties)s") % {'image': image_href, 'properties': props})
 
 
-def get_default_boot_option():
-    """Gets the default boot option."""
-    # TODO(TheJulia): Deprecated: Remove after Ussuri.
-    return CONF.deploy.default_boot_option
-
-
 def get_boot_option(node):
     """Gets the boot option.
 
diff --git a/releasenotes/notes/netboot-deprecation-fe5751a47df2d0b7.yaml b/releasenotes/notes/netboot-deprecation-fe5751a47df2d0b7.yaml
new file mode 100644
index 000000000..9c8df1106
--- /dev/null
+++ b/releasenotes/notes/netboot-deprecation-fe5751a47df2d0b7.yaml
@@ -0,0 +1,14 @@
+---
+deprecations:
+  - |
+    Booting final instances via network (as opposed to via a local bootloader)
+    is now deprecated, except for the cases of booting from volume or the
+    ramdisk deploy interface.
+
+    Network boot for whole disk images only works reliable for legacy (BIOS)
+    boot. In case of partition images, there is no way to update the kernel,
+    which makes this approach insecure.
+
+    Users of partition images must ensure that they either contain the
+    ``grub-install`` binary, enough EFI artifacts to boot the operating
+    system or a legacy boot partition.
diff --git a/zuul.d/ironic-jobs.yaml b/zuul.d/ironic-jobs.yaml
index 9b928f074..ff7727b7a 100644
--- a/zuul.d/ironic-jobs.yaml
+++ b/zuul.d/ironic-jobs.yaml
@@ -322,7 +322,7 @@
 
 - job:
     name: ironic-tempest-wholedisk-bios-snmp-pxe
-    description: SNMP power, no-op management, netboot and whole disk images.
+    description: SNMP power, no-op management and whole disk images.
     parent: ironic-base
     vars:
       devstack_localrc: