Bug 1898517

Summary: Ironic auto-discovery may result in rogue nodes registered in ironic
Product: OpenShift Container Platform Reporter: Dmitry Tantsur <dtantsur>
Component: Bare Metal Hardware ProvisioningAssignee: Dmitry Tantsur <dtantsur>
Bare Metal Hardware Provisioning sub component: ironic QA Contact: Lubov <lshilin>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: rbartal, tsedovic
Version: 4.7Keywords: Triaged
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Node auto-discovery is no longer enabled in baremetal IPI. It was not handled correctly and caused duplicate bare metal hosts registration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:34:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitry Tantsur 2020-11-17 12:08:05 UTC 
We have auto-discovery enabled in ironic-inspector-image, which means that anything that boots IPA and is not being deployed will be introspected and registered in ironic. Since BMO cannot detect such nodes, they prevent normal enrollment later on because of MAC address duplication.

Let us disable ironic auto-discovery until we support it in BMO.
Comment 2 Dmitry Tantsur 2021-01-06 13:20:07 UTC 
Testing: make sure that just powering on a node (outside of openshift) does not result in adding it to ironic.

For example:
1) Deploy masters
2) Power on a worker manually without adding it to OpenShift (e.g. via ipmitool or its web UI).
3) The worker may or may not boot the inspection ramdisk, but in the end should fail and no new node should appear in ironic.
3.1) If the worker does not network boot by default, it's worth manually setting it to network boot in the firmware settings (or using ipmitool).
Comment 6 errata-xmlrpc 2021-02-24 15:34:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633