)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eb31d317404a53d5c661029058a0961c2b75d55b","unresolved":false,"context_lines":[{"line_number":11,"context_line":"that only nodes being introspected are added to the DHCP servers"},{"line_number":12,"context_line":"allow list."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Also adds ethoib support in the dnsmasq PXE filter."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Also fix a typo in ethoib_interfaces option help text."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"9f560f44_00ace832","line":14,"updated":"2020-09-25 15:46:46.000000000","message":"Worth a separate release note (ideally a separate patch)","commit_id":"66dfbb0eaac3225a1d0d79fd051b5c7876b7bf71"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"05cdb11c54db9067a7bb31d618f2106aa189a875","unresolved":false,"context_lines":[{"line_number":11,"context_line":"that only nodes being introspected are added to the DHCP servers"},{"line_number":12,"context_line":"allow list."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Also adds ethoib support in the dnsmasq PXE filter."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Also fix a typo in ethoib_interfaces option help text."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"9f560f44_5aa356ff","line":14,"in_reply_to":"9f560f44_00ace832","updated":"2020-09-28 10:20:41.000000000","message":"I put a separate reno. A seprate patch is a bit complicated as this is something we kind of got for free when refactoring to share some code.","commit_id":"66dfbb0eaac3225a1d0d79fd051b5c7876b7bf71"}],"ironic_inspector/conf/dnsmasq_pxe_filter.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e26ad1f7fa9598ff2bdebd61fc12498b1b006e6","unresolved":false,"context_lines":[{"line_number":36,"context_line":"    cfg.StrOpt(\u0027dnsmasq_stop_command\u0027, default\u003d\u0027\u0027,"},{"line_number":37,"context_line":"               help\u003d_(\u0027A (shell) command line to stop the dnsmasq service \u0027"},{"line_number":38,"context_line":"                      \u0027upon inspector (error) exit. Default: don\\\u0027t stop.\u0027)),"},{"line_number":39,"context_line":"    cfg.BoolOpt(\u0027deny_unknown_macs\u0027, default\u003dFalse,"},{"line_number":40,"context_line":"                help\u003d_(\u0027By default inspector will open the DHCP server for any\u0027"},{"line_number":41,"context_line":"                       \u0027node when introspection is active. Opening DHCP for\u0027"},{"line_number":42,"context_line":"                       \u0027unknown MAC addresses when introspection allow users\u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"9f560f44_18b3fd4f","line":39,"updated":"2020-09-23 08:09:58.000000000","message":"This should be a global option, not specific to the dnsmasq filter. The iptables filter works the same.","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"69f0223fbfe6dad7f7e3a45071f921f9949df5ea","unresolved":false,"context_lines":[{"line_number":36,"context_line":"    cfg.StrOpt(\u0027dnsmasq_stop_command\u0027, default\u003d\u0027\u0027,"},{"line_number":37,"context_line":"               help\u003d_(\u0027A (shell) command line to stop the dnsmasq service \u0027"},{"line_number":38,"context_line":"                      \u0027upon inspector (error) exit. Default: don\\\u0027t stop.\u0027)),"},{"line_number":39,"context_line":"    cfg.BoolOpt(\u0027deny_unknown_macs\u0027, default\u003dFalse,"},{"line_number":40,"context_line":"                help\u003d_(\u0027By default inspector will open the DHCP server for any\u0027"},{"line_number":41,"context_line":"                       \u0027node when introspection is active. Opening DHCP for\u0027"},{"line_number":42,"context_line":"                       \u0027unknown MAC addresses when introspection allow users\u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"9f560f44_aa336d12","line":39,"in_reply_to":"9f560f44_18b3fd4f","updated":"2020-09-24 21:12:03.000000000","message":"Actually no, the iptables filter works a little different.\nThe dnsmasq filter manages allowed mac\u0027s, denied mac\u0027s and unknown mac\u0027s. While iptables only manage denied mac\u0027s and unknown mac\u0027s.\n\nDenied mac\u0027s is the mac addresses enrolled to ironic nodes currently not being introspected.\n\nI will spend some time and see if I can enhance the iptables filter to support allowed mac\u0027s.","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e26ad1f7fa9598ff2bdebd61fc12498b1b006e6","unresolved":false,"context_lines":[{"line_number":39,"context_line":"    cfg.BoolOpt(\u0027deny_unknown_macs\u0027, default\u003dFalse,"},{"line_number":40,"context_line":"                help\u003d_(\u0027By default inspector will open the DHCP server for any\u0027"},{"line_number":41,"context_line":"                       \u0027node when introspection is active. Opening DHCP for\u0027"},{"line_number":42,"context_line":"                       \u0027unknown MAC addresses when introspection allow users\u0027"},{"line_number":43,"context_line":"                       \u0027to add nodes with no ports to ironic and have ironic\u0027"},{"line_number":44,"context_line":"                       \u0027create ports using the ValidateInterfacesHook\u0027"},{"line_number":45,"context_line":"                       \u0027processing filter.\u0027))"}],"source_content_type":"text/x-python","patch_set":1,"id":"9f560f44_78a4b907","line":42,"updated":"2020-09-23 08:09:58.000000000","message":"missing trailing space here and below","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e26ad1f7fa9598ff2bdebd61fc12498b1b006e6","unresolved":false,"context_lines":[{"line_number":40,"context_line":"                help\u003d_(\u0027By default inspector will open the DHCP server for any\u0027"},{"line_number":41,"context_line":"                       \u0027node when introspection is active. Opening DHCP for\u0027"},{"line_number":42,"context_line":"                       \u0027unknown MAC addresses when introspection allow users\u0027"},{"line_number":43,"context_line":"                       \u0027to add nodes with no ports to ironic and have ironic\u0027"},{"line_number":44,"context_line":"                       \u0027create ports using the ValidateInterfacesHook\u0027"},{"line_number":45,"context_line":"                       \u0027processing filter.\u0027))"},{"line_number":46,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"9f560f44_b8a931de","line":43,"updated":"2020-09-23 08:09:58.000000000","message":"s/ironic/ironic-inspector/ and let\u0027s not mention filter names, especially class names that are not exposed to operators.","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e26ad1f7fa9598ff2bdebd61fc12498b1b006e6","unresolved":false,"context_lines":[{"line_number":42,"context_line":"                       \u0027unknown MAC addresses when introspection allow users\u0027"},{"line_number":43,"context_line":"                       \u0027to add nodes with no ports to ironic and have ironic\u0027"},{"line_number":44,"context_line":"                       \u0027create ports using the ValidateInterfacesHook\u0027"},{"line_number":45,"context_line":"                       \u0027processing filter.\u0027))"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"]"},{"line_number":48,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"9f560f44_f8af29dd","line":45,"updated":"2020-09-23 08:09:58.000000000","message":"Let\u0027s be explicit that if this option is True, at least one port must be enrolled.","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"}],"ironic_inspector/pxe_filter/base.py":[{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"e0405729a82639b7a5a02ebda476498b8bb0c2a0","unresolved":false,"context_lines":[{"line_number":254,"context_line":"def _ib_mac_to_rmac_mapping(ports):"},{"line_number":255,"context_line":"    \"\"\"Update port InfiniBand MAC address to EthernetOverInfiniBand MAC"},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"    On InfiniBand deployment we need to map between the baremetal host"},{"line_number":258,"context_line":"    InfiniBand MAC to the EoIB MAC. The EoIB MAC addresses are learned"},{"line_number":259,"context_line":"    automatically by the EoIB interfaces and those MACs are recorded to the"},{"line_number":260,"context_line":"    /sys/class/net/\u003cethoib_interface\u003e/eth/neighs file. The InfiniBand GUID is"}],"source_content_type":"text/x-python","patch_set":6,"id":"9f560f44_6dc11d82","line":257,"range":{"start_line":257,"start_character":18,"end_line":257,"end_character":28},"updated":"2020-09-30 13:03:29.000000000","message":"Nit: deployments","commit_id":"7a067a97a81148db655d7481ec0eeb5cb57cd7f0"}],"ironic_inspector/pxe_filter/dnsmasq.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eb31d317404a53d5c661029058a0961c2b75d55b","unresolved":false,"context_lines":[{"line_number":72,"context_line":"    def __init__(self):"},{"line_number":73,"context_line":"        super(DnsmasqFilter, self).__init__()"},{"line_number":74,"context_line":"        # Configuration check"},{"line_number":75,"context_line":"        if (CONF.pxe_filter.deny_unknown_macs"},{"line_number":76,"context_line":"                and CONF.processing.node_not_found_hook):"},{"line_number":77,"context_line":"            msg \u003d (\u0027Configuration error: [pxe_filter]deny_unknown_macs is\u0027"},{"line_number":78,"context_line":"                   \u0027enabled and [processing]node_not_found_hook is enabled.\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"9f560f44_60a7a451","line":75,"updated":"2020-09-25 15:46:46.000000000","message":"Let\u0027s maybe move this to BaseFilter?","commit_id":"66dfbb0eaac3225a1d0d79fd051b5c7876b7bf71"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"05cdb11c54db9067a7bb31d618f2106aa189a875","unresolved":false,"context_lines":[{"line_number":72,"context_line":"    def __init__(self):"},{"line_number":73,"context_line":"        super(DnsmasqFilter, self).__init__()"},{"line_number":74,"context_line":"        # Configuration check"},{"line_number":75,"context_line":"        if (CONF.pxe_filter.deny_unknown_macs"},{"line_number":76,"context_line":"                and CONF.processing.node_not_found_hook):"},{"line_number":77,"context_line":"            msg \u003d (\u0027Configuration error: [pxe_filter]deny_unknown_macs is\u0027"},{"line_number":78,"context_line":"                   \u0027enabled and [processing]node_not_found_hook is enabled.\u0027"}],"source_content_type":"text/x-python","patch_set":5,"id":"9f560f44_7f0f2c38","line":75,"in_reply_to":"9f560f44_60a7a451","updated":"2020-09-28 10:20:41.000000000","message":"Done","commit_id":"66dfbb0eaac3225a1d0d79fd051b5c7876b7bf71"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eb31d317404a53d5c661029058a0961c2b75d55b","unresolved":false,"context_lines":[{"line_number":74,"context_line":"        # Configuration check"},{"line_number":75,"context_line":"        if (CONF.pxe_filter.deny_unknown_macs"},{"line_number":76,"context_line":"                and CONF.processing.node_not_found_hook):"},{"line_number":77,"context_line":"            msg \u003d (\u0027Configuration error: [pxe_filter]deny_unknown_macs is\u0027"},{"line_number":78,"context_line":"                   \u0027enabled and [processing]node_not_found_hook is enabled.\u0027"},{"line_number":79,"context_line":"                   \u0027These options cannot both be enabled simultaneously.\u0027)"},{"line_number":80,"context_line":"            raise utils.Error(msg)"}],"source_content_type":"text/x-python","patch_set":5,"id":"9f560f44_40a26040","line":77,"updated":"2020-09-25 15:46:46.000000000","message":"nit: _()","commit_id":"66dfbb0eaac3225a1d0d79fd051b5c7876b7bf71"},{"author":{"_account_id":24245,"name":"Harald Jensås","email":"hjensas@redhat.com","username":"harald.jensas"},"change_message_id":"05cdb11c54db9067a7bb31d618f2106aa189a875","unresolved":false,"context_lines":[{"line_number":74,"context_line":"        # Configuration check"},{"line_number":75,"context_line":"        if (CONF.pxe_filter.deny_unknown_macs"},{"line_number":76,"context_line":"                and CONF.processing.node_not_found_hook):"},{"line_number":77,"context_line":"            msg \u003d (\u0027Configuration error: [pxe_filter]deny_unknown_macs is\u0027"},{"line_number":78,"context_line":"                   \u0027enabled and [processing]node_not_found_hook is enabled.\u0027"},{"line_number":79,"context_line":"                   \u0027These options cannot both be enabled simultaneously.\u0027)"},{"line_number":80,"context_line":"            raise utils.Error(msg)"}],"source_content_type":"text/x-python","patch_set":5,"id":"9f560f44_5f122862","line":77,"in_reply_to":"9f560f44_40a26040","updated":"2020-09-28 10:20:41.000000000","message":"Done","commit_id":"66dfbb0eaac3225a1d0d79fd051b5c7876b7bf71"}],"releasenotes/notes/dnsmasq-pxe-filter-add-deny-unknown-host-option-b84b2aa1f7f49a17.yaml":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e26ad1f7fa9598ff2bdebd61fc12498b1b006e6","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    By default the DHCP filtering will open the DHCP server for any host when"},{"line_number":5,"context_line":"    introspection is active. Doing so is required to support interface"},{"line_number":6,"context_line":"    discovery via the ValidateInterfacesHook (which by default will add the"},{"line_number":7,"context_line":"    pxe port to ironic if not present). This behaviour is not always wanted, as"},{"line_number":8,"context_line":"    nodes not managed by ironic may boot the inspection image."},{"line_number":9,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9f560f44_9878ad7e","line":6,"range":{"start_line":6,"start_character":14,"end_line":6,"end_character":44},"updated":"2020-09-23 08:09:58.000000000","message":"Remove \"via\"..\" as it\u0027s too technical","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e26ad1f7fa9598ff2bdebd61fc12498b1b006e6","unresolved":false,"context_lines":[{"line_number":10,"context_line":"    Add a new option ``dnsmasq_pxe_filter\\deny_unknown_macs`` which allow"},{"line_number":11,"context_line":"    disabling this behaviour."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"    .. Note:: When deny_unknown_macs is set, it will disable unknow hosts also"},{"line_number":14,"context_line":"              when the ``processing/node_not_found_hook`` is set."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9f560f44_d895058a","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":65},"updated":"2020-09-23 08:09:58.000000000","message":"Then we need to fail on start up if both options are on.","commit_id":"f8f0e5637fe245d4799b00701c699833020b79ce"}],"releasenotes/notes/pxe-filter-add-deny-unknown-host-option-b84b2aa1f7f49a17.yaml":[{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"e0405729a82639b7a5a02ebda476498b8bb0c2a0","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    present). This behaviour is not always wanted, as nodes not managed by"},{"line_number":9,"context_line":"    ironic may boot the inspection image."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    A new option was added ``[pxe_filter]deny_unknown_macs`` which allow"},{"line_number":12,"context_line":"    changeing this behaviour so that the DHCP server only allow enrolled nodes"},{"line_number":13,"context_line":"    being introspected and deny everything else."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":6,"id":"9f560f44_02a03042","line":11,"range":{"start_line":11,"start_character":67,"end_line":11,"end_character":72},"updated":"2020-09-30 13:03:29.000000000","message":"nit: allows","commit_id":"7a067a97a81148db655d7481ec0eeb5cb57cd7f0"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"e0405729a82639b7a5a02ebda476498b8bb0c2a0","unresolved":false,"context_lines":[{"line_number":9,"context_line":"    ironic may boot the inspection image."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    A new option was added ``[pxe_filter]deny_unknown_macs`` which allow"},{"line_number":12,"context_line":"    changeing this behaviour so that the DHCP server only allow enrolled nodes"},{"line_number":13,"context_line":"    being introspected and deny everything else."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    .. Note:: If this option is ``True``, nodes must have at least one"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"9f560f44_a28ea4ce","line":12,"range":{"start_line":12,"start_character":58,"end_line":12,"end_character":63},"updated":"2020-09-30 13:03:29.000000000","message":"Nit: allows","commit_id":"7a067a97a81148db655d7481ec0eeb5cb57cd7f0"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"e0405729a82639b7a5a02ebda476498b8bb0c2a0","unresolved":false,"context_lines":[{"line_number":12,"context_line":"    changeing this behaviour so that the DHCP server only allow enrolled nodes"},{"line_number":13,"context_line":"    being introspected and deny everything else."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    .. Note:: If this option is ``True``, nodes must have at least one"},{"line_number":16,"context_line":"              enrolled port prior to introspection."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":6,"id":"9f560f44_023cb0df","line":16,"range":{"start_line":15,"start_character":4,"end_line":16,"end_character":51},"updated":"2020-09-30 13:03:29.000000000","message":"To increase visibility, I think this needs to be added to the admin docs as introspection for many adds the ports in the first place, and using this option will prevent this.","commit_id":"7a067a97a81148db655d7481ec0eeb5cb57cd7f0"}]}