Fixes Secureboot with Anaconda deploy

Fixes Secureboot with Anaconda deploy with PXE and iPXE

Story:2010356
Task: 46529

Change-Id: Id6262654bb5e41e02c7d90b9a9aaf395e7b6a088

ironic/drivers/modules/pxe.py

@@ -27,6 +27,7 @@ from ironic.conductor import utils as manager_utils
 from ironic.conf import CONF
 from ironic.drivers import base
 from ironic.drivers.modules import agent_base
+from ironic.drivers.modules import boot_mode_utils
 from ironic.drivers.modules import deploy_utils
 from ironic.drivers.modules import pxe_base
 LOG = logging.getLogger(__name__)
@@ -113,22 +114,12 @@ class PXEAnacondaDeploy(agent_base.AgentBaseMixin, agent_base.HeartbeatMixin,
 
     def reboot_to_instance(self, task):
         node = task.node
-        try:
-            # anaconda deploy will install the bootloader and the node is ready
-            # to boot from disk.
-
-            deploy_utils.try_set_boot_device(task, boot_devices.DISK)
-        except Exception as e:
-            msg = (_("Failed to change the boot device to %(boot_dev)s "
-                     "when deploying node %(node)s. Error: %(error)s") %
-                   {'boot_dev': boot_devices.DISK, 'node': node.uuid,
-                    'error': e})
-            agent_base.log_and_raise_deployment_error(task, msg)
-
         try:
             task.process_event('resume')
             self.clean_up(task)
             manager_utils.node_power_action(task, states.POWER_OFF)
+            deploy_utils.try_set_boot_device(task, boot_devices.DISK)
+            boot_mode_utils.configure_secure_boot_if_needed(task)
             task.driver.network.remove_provisioning_network(task)
             task.driver.network.configure_tenant_networks(task)
             manager_utils.node_power_action(task, states.POWER_ON)

ironic/drivers/modules/pxe_base.py

@@ -231,11 +231,12 @@ class PXEBaseMixin(object):
         :returns: None
         """
         boot_mode_utils.sync_boot_mode(task)
-        boot_mode_utils.configure_secure_boot_if_needed(task)
-
         node = task.node
-        boot_option = deploy_utils.get_boot_option(node)
         boot_device = None
+        boot_option = deploy_utils.get_boot_option(node)
+        if boot_option != "kickstart":
+            boot_mode_utils.configure_secure_boot_if_needed(task)
+
         instance_image_info = {}
         if boot_option == "ramdisk" or boot_option == "kickstart":
             instance_image_info = pxe_utils.get_instance_image_info(

ironic/tests/unit/drivers/modules/test_pxe.py

@@ -550,6 +550,8 @@ class PXEBootTestCase(db_base.DbTestCase):
     def test_prepare_instance_ramdisk_pxe_conf_exists(self):
         self._test_prepare_instance_ramdisk(config_file_exits=False)
 
+    @mock.patch.object(boot_mode_utils, 'configure_secure_boot_if_needed',
+                       autospec=True)
     @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)
     @mock.patch.object(deploy_utils, 'switch_pxe_config', autospec=True)
     @mock.patch.object(pxe_utils, 'create_pxe_config', autospec=True)
@@ -567,7 +569,7 @@ class PXEBootTestCase(db_base.DbTestCase):
             self, exec_mock, write_file_mock, render_mock, api_url_mock,
             boot_opt_mock, get_image_info_mock, cache_mock, dhcp_factory_mock,
             create_pxe_config_mock, switch_pxe_config_mock,
-            set_boot_device_mock):
+            set_boot_device_mock, mock_conf_sec_boot):
         image_info = {'kernel': ['ins_kernel_id', '/path/to/kernel'],
                       'ramdisk': ['ins_ramdisk_id', '/path/to/ramdisk'],
                       'stage2': ['ins_stage2_id', '/path/to/stage2'],
@@ -611,6 +613,7 @@ class PXEBootTestCase(db_base.DbTestCase):
             set_boot_device_mock.assert_called_once_with(task,
                                                          boot_devices.PXE,
                                                          persistent=True)
+            self.assertFalse(mock_conf_sec_boot.called)
 
     @mock.patch.object(manager_utils, 'node_set_boot_device', autospec=True)
     @mock.patch.object(deploy_utils, 'switch_pxe_config', autospec=True)
@@ -786,11 +789,13 @@ class PXEAnacondaDeployTestCase(db_base.DbTestCase):
             task.driver.deploy.prepare(task)
             mock_prepare_instance.assert_called_once_with(mock.ANY, task)
 
+    @mock.patch.object(boot_mode_utils, 'configure_secure_boot_if_needed',
+                       autospec=True)
     @mock.patch.object(pxe_utils, 'clean_up_pxe_env', autospec=True)
     @mock.patch.object(pxe_utils, 'get_instance_image_info', autospec=True)
     @mock.patch.object(deploy_utils, 'try_set_boot_device', autospec=True)
     def test_reboot_to_instance(self, mock_set_boot_dev, mock_image_info,
-                                mock_cleanup_pxe_env):
+                                mock_cleanup_pxe_env, mock_conf_sec_boot):
         image_info = {'kernel': ('', '/path/to/kernel'),
                       'ramdisk': ('', '/path/to/ramdisk'),
                       'stage2': ('', '/path/to/stage2'),
@@ -802,6 +807,7 @@ class PXEAnacondaDeployTestCase(db_base.DbTestCase):
         with task_manager.acquire(self.context, self.node.uuid) as task:
             task.driver.deploy.reboot_to_instance(task)
             mock_set_boot_dev.assert_called_once_with(task, boot_devices.DISK)
+            mock_conf_sec_boot.assert_called_once_with(task)
             mock_cleanup_pxe_env.assert_called_once_with(task, image_info,
                                                          ipxe_enabled=False)
 

releasenotes/notes/fix_secure_boot_with_anaconda_deploy-84d7c1e3bbfa40f2.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixes secure boot with anaconda deploy.