Fixes Secureboot with Anaconda deploy

Fixes Secureboot with Anaconda deploy with PXE and iPXE Story:2010356 Task: 46529 Change-Id: Id6262654bb5e41e02c7d90b9a9aaf395e7b6a088
author: Nisha Agarwal <agarwalnisha1980@gmail.com> 2022-10-10 12:38:49 +0000
committer: Dmitry Tantsur <dtantsur@protonmail.com> 2023-03-16 15:04:39 +0000
commit: c5e004a73eb96820a0c46402e9474d211d6f09ca (patch)
tree: 4004b32af5200b7bb5d7d95842fb391e74dbe11e
parent: 821ce8c319a46cb212a9997fd8e9b964be6657fd (diff)
download: ironic-c5e004a73eb96820a0c46402e9474d211d6f09ca.tar.gz
4 files changed, 19 insertions, 17 deletions
diff --git a/ironic/drivers/modules/pxe.py b/ironic/drivers/modules/pxe.py
index fe93acefd..a55f5b9fd 100644
--- a/ironic/drivers/modules/pxe.py
+++ b/ironic/drivers/modules/pxe.py
@@ -27,6 +27,7 @@ from ironic.conductor import utils as manager_utils
 from ironic.conf import CONF
 from ironic.drivers import base
 from ironic.drivers.modules import agent_base
+from ironic.drivers.modules import boot_mode_utils
 from ironic.drivers.modules import deploy_utils
 from ironic.drivers.modules import pxe_base
 LOG = logging.getLogger(__name__)
@@ -114,21 +115,11 @@ class PXEAnacondaDeploy(agent_base.AgentBaseMixin, agent_base.HeartbeatMixin,
     def reboot_to_instance(self, task):
         node = task.node
         try:
-            # anaconda deploy will install the bootloader and the node is ready
-            # to boot from disk.
-
-            deploy_utils.try_set_boot_device(task, boot_devices.DISK)
-        except Exception as e:
-            msg = (_("Failed to change the boot device to %(boot_dev)s "
-                     "when deploying node %(node)s. Error: %(error)s") %
-                   {'boot_dev': boot_devices.DISK, 'node': node.uuid,
-                    'error': e})
-            agent_base.log_and_raise_deployment_error(task, msg)
-
-        try:
             task.process_event('resume')
             self.clean_up(task)
             manager_utils.node_power_action(task, states.POWER_OFF)
+            deploy_utils.try_set_boot_device(task, boot_devices.DISK)
+            boot_mode_utils.configure_secure_boot_if_needed(task)
             task.driver.network.remove_provisioning_network(task)
             task.driver.network.configure_tenant_networks(task)
             manager_utils.node_power_action(task, states.POWER_ON)
diff --git a/ironic/drivers/modules/pxe_base.py b/ironic/drivers/modules/pxe_base.py
index daa90ba8d..f3ac49890 100644
--- a/ironic/drivers/modules/pxe_base.py
+++ b/ironic/drivers/modules/pxe_base.py
@@ -231,11 +231,12 @@ class PXEBaseMixin(object):
         :returns: None
         """
         boot_mode_utils.sync_boot_mode(task)
-        boot_mode_utils.configure_secure_boot_if_needed(task)
-
         node = task.node
-        boot_option = deploy_utils.get_boot_option(node)
         boot_device = None
+        boot_option = deploy_utils.get_boot_option(node)
+        if boot_option != "kickstart":
+            boot_mode_utils.configure_secure_boot_if_needed(task)
+
         instance_image_info = {}
         if boot_option == "ramdisk" or boot_option == "kickstart":
             instance_image_info = pxe_utils.get_instance_image_info(
diff --git a/ironic/tests/unit/drivers/modules/test_pxe.py b/ironic/tests/unit/drivers/modules/test_pxe.py
index e7d444104..f16366470 100644
--- a/ironic/tests/unit/drivers/modules/test_pxe.py
+++ b/ironic/tests/unit/drivers/modules/test_pxe.py
@@ -550,6 +550,8 @@ class PXEBootTestCase(db_base.DbTestCase):
     def test_prepare_instance_ramdisk_pxe_conf_exists(self):
         self._test_prepare_instance_ramdisk(config_file_exits=False)
 
+    @mock.patch.object(boot_mode_utils, 'configure_secure_boot_if_needed',
+                       autospec=True)
     @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)
     @mock.patch.object(deploy_utils, 'switch_pxe_config', autospec=True)
     @mock.patch.object(pxe_utils, 'create_pxe_config', autospec=True)
@@ -567,7 +569,7 @@ class PXEBootTestCase(db_base.DbTestCase):
             self, exec_mock, write_file_mock, render_mock, api_url_mock,
             boot_opt_mock, get_image_info_mock, cache_mock, dhcp_factory_mock,
             create_pxe_config_mock, switch_pxe_config_mock,
-            set_boot_device_mock):
+            set_boot_device_mock, mock_conf_sec_boot):
         image_info = {'kernel': ['ins_kernel_id', '/path/to/kernel'],
                       'ramdisk': ['ins_ramdisk_id', '/path/to/ramdisk'],
                       'stage2': ['ins_stage2_id', '/path/to/stage2'],
@@ -611,6 +613,7 @@ class PXEBootTestCase(db_base.DbTestCase):
             set_boot_device_mock.assert_called_once_with(task,
                                                          boot_devices.PXE,
                                                          persistent=True)
+            self.assertFalse(mock_conf_sec_boot.called)
 
     @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)
     @mock.patch.object(deploy_utils, 'switch_pxe_config', autospec=True)
@@ -786,11 +789,13 @@ class PXEAnacondaDeployTestCase(db_base.DbTestCase):
             task.driver.deploy.prepare(task)
             mock_prepare_instance.assert_called_once_with(mock.ANY, task)
 
+    @mock.patch.object(boot_mode_utils, 'configure_secure_boot_if_needed',
+                       autospec=True)
     @mock.patch.object(pxe_utils, 'clean_up_pxe_env', autospec=True)
     @mock.patch.object(pxe_utils, 'get_instance_image_info', autospec=True)
     @mock.patch.object(deploy_utils, 'try_set_boot_device', autospec=True)
     def test_reboot_to_instance(self, mock_set_boot_dev, mock_image_info,
-                                mock_cleanup_pxe_env):
+                                mock_cleanup_pxe_env, mock_conf_sec_boot):
         image_info = {'kernel': ('', '/path/to/kernel'),
                       'ramdisk': ('', '/path/to/ramdisk'),
                       'stage2': ('', '/path/to/stage2'),
@@ -802,6 +807,7 @@ class PXEAnacondaDeployTestCase(db_base.DbTestCase):
         with task_manager.acquire(self.context, self.node.uuid) as task:
             task.driver.deploy.reboot_to_instance(task)
             mock_set_boot_dev.assert_called_once_with(task, boot_devices.DISK)
+            mock_conf_sec_boot.assert_called_once_with(task)
             mock_cleanup_pxe_env.assert_called_once_with(task, image_info,
                                                          ipxe_enabled=False)
 
diff --git a/releasenotes/notes/fix_secure_boot_with_anaconda_deploy-84d7c1e3bbfa40f2.yaml b/releasenotes/notes/fix_secure_boot_with_anaconda_deploy-84d7c1e3bbfa40f2.yaml
new file mode 100644
index 000000000..a03289c42
--- /dev/null
+++ b/releasenotes/notes/fix_secure_boot_with_anaconda_deploy-84d7c1e3bbfa40f2.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixes secure boot with anaconda deploy.
author	Nisha Agarwal <agarwalnisha1980@gmail.com>	2022-10-10 12:38:49 +0000
committer	Dmitry Tantsur <dtantsur@protonmail.com>	2023-03-16 15:04:39 +0000
commit	c5e004a73eb96820a0c46402e9474d211d6f09ca (patch)
tree	4004b32af5200b7bb5d7d95842fb391e74dbe11e
parent	821ce8c319a46cb212a9997fd8e9b964be6657fd (diff)
download	ironic-c5e004a73eb96820a0c46402e9474d211d6f09ca.tar.gz