When using nginx to terminate TLS (like it's done in Bifrost), it's more
secure to use a Unix socket for communication, so that local users
cannot access plain text communication.

Change-Id: I37b762cca035b5855deb92635c29e8eb97a87c20

The systemd service named openstack-ironic-inspector-dnsmasq is a name
which was only ever used by TripleO and hasn't been used since before
Train when the services were containerized and the dnsmasq process
management was no longer handled by inspector at all.

This change removes this rootwrap rule as unused for some years. Any
configuration tool which is setting
[dnsmasq_pxe_filter]dnsmasq_start_command also needs to be writing an
appropriate rootwrap.d file, as the inspector devstack plugin does.

Change-Id: I38974faa8897daabf88ff63402d42a3ef93e675c

It turns out that eventlet has been injecting a
``Transfer-Encoding`` header as of recent into WSGI application
response headers. The result of this ultimately depends on how
the HTTP client which is passing the request to the server is
written to handle data.

Apache, for example, will return that an invalid response was
received. In part because it sees the request end, with an HTTP
204 response code, but also an encoding indicating there is
a multipart body encoding inbound. Which is confusing.

Other C based HTTP clients can have any number of reactions up to
and including disconnecting sessions. Curl, depending on the
headers present either returns success but notes body weirdness
or actually returns return code 18.

Python-Requests kind of has it a little worse, and we see this
with clients. With it, it tries to prepare a respones content
body based upon the presence of the header indicating there is
a body. But it blows up thinking there is more data to read on
the socket when there is not more data to read.

Regardless, all of this is an RFC7230 violation.

Neither Content-Length nor Transfer-Encoding should be on an HTTP
204 response. However, Content-Length is the lesser evil, and we
have a similar endpoing in Ironic which *does* explicitly get
returned with a zero length content-length, and does not
demonstrate such issues.

As such, in the interest of the lesser evils until Eventlet's evil
ways of header injection are remedied, we're explicitly going to
force a Content-Length header to be sent indicating a zero length
response.

For more information, please see: https://github.com/eventlet/eventlet/issues/746

Change-Id: I014cc65c79222f4d4d7c2b6ff11a76e56659340c

We have updated the yoga testing runtime to keep the
py36 testing.

- https://review.opendev.org/c/openstack/governance/+/820195

Unit tests job template is also updated to keep python
3.6 as a voting job. So with the py3.6 and py3.9 testing as voting
job template, we are keeping python 3.6, 3.7, 3.8, and 3.8 as
tested versions in the Yoga cycle.

- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286

This commit re-add the python 3.6/3.7 versions in setup.cfg classifier.

Change-Id: I1600a9c56e85e8c6dcb68277f9d0e3396f92dac9

Change-Id: I3fcc7b473629803e57fb379a1946ca088f3d88e4

Yoga testing runtime has been updated with py38 and py39
as voting and removed the py36 testing. Unit tests update are
handled by the job template change in openstack-zuul-job and you
can see the updated jobs running in gate.

- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/818609

this commit updates the tested py versions in setup.cfg classifier.

[1] https://governance.openstack.org/tc/reference/runtimes/yoga.html

Change-Id: Idbc2a716eec5fd5710fc5ea493600a3519a37bdb

Also adds root=/dev/ram0 for the ramdisk initialization which seems
to be required with the switch to UEFI.

Depends-On: https://review.opendev.org/c/openstack/ironic/+/812167
Change-Id: I77aedafb121f9b8b009a424da11c82acca2216cd

This commit add support for state selector to the list introspection.

* ``GET /v1/introspection?state=[starting, waiting, processing,
                                 finished, error, reapplying,
				 enrolling]``

Story: 1625183
Task: 11350
Change-Id: I2c5222110487a08a4e7b1efbcbc5dc3d552fae3e

This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I6617d6025be66cd7d99c05dd5c0542acf6790dbc

Add file to the reno documentation build to show release notes for
stable/xena.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.

Sem-Ver: feature
Change-Id: I09dd83c307547b7bfbd638942a4d5b9156337446

Inplicit execution was deprecated in SQLAlhcemy, version 1.4 doesn't
support and we need to convert to explicit[1]

[1] https://docs.sqlalchemy.org/en/14/changelog/migration_20.html#implicit-and-connectionless-execution-bound-metadata-removed

Change-Id: I4a780567fb92c32cf55c54e2e134df9456e36165

This change allows uses to enable the healthcheck middleware from
oslo.middleware in API pipeline, by setting the [healthcheck]/enabled
option. This middleware provides an API endpoint at /healthcheck path
which allows load balancers or monitoring applications to determine
a service is up using HTTP requests.

This change basically follows the same change merged in ironic[1] repo.

[1] 6f439414bdcef9fc02f844f475ec798d48d42558

Change-Id: Ic2ee2bca74ea2a5a0723ef54b10c531f77ea7b8d

Since we run inspector jobs in ironic gate, we need to
include `ironic/tests` in the irrelevant-files so
we don't run the jobs when there is only changes in unit tests.

Change-Id: I98757ab78716689355f70c7735480d4dc8e04320

... to avoid warnings from the middleware about deprecated parameters.
Currently parameters of each auth plugin are not loaded in unit tests
so user credentials are not updated but just removed.

Change-Id: I6e420dac51ac8cf92eadb1c3a3d4716a96c22001

Some actions can fail due to the node being locked as part of
normal operations. This was previously handled silently by
python-ironicclient, but when inspector was changed to use
openstacksdk, this was no longer handled.

Adds the retry wrapper around critical path methods involving
power/reboot ops and node updates which require locks.

Change-Id: I3d26cf46da02b3e8f3f773c0aeaed6843e0f26e5
Story: 2009107
Task: 42966

The lower-constraints test was removed because of an issue where pip
could not correctly determine the required packages versions to install,
ending in an almost infinite loop that would end up in timeout, failure,
and general mayhem.
Recently the issue has been fixed and, if properly configured, the
lower-constraints test can provide good indication of which minimum
versions are required to support the current code.
This patch adds the test back to the current development branch, and it
runs only on master.
The lower-constraints file will stay in the future stable branches.

Change-Id: I2e247ff2d68705d04d40c7ea653a8d3e0daf17d8

Fix errors in unit tests

Change-Id: Ibc8648b64887daac6fb5ec8a6dd61d9312a52ef3

Update minimum required versions of python packages.
The updates is based on crosscheck requirements from required
packages:

oslo-policy 3.7.0 depends on oslo.context>=2.22.0

increase oslo-service version to be able to use eventlet 0.26.0
oslo-service 1.24.0 depends on eventlet!=0.18.3, !=0.20.1, <0.21.0 and >=0.18.2

increase oslo-log version to fix error:
AttributeError: type object 'deprecated' has no attribute 'WALLABY'

oslo-log 4.3.0 depends on oslo.serialization>=2.25.0
oslo-log 4.3.0 depends on pbr>=3.1.1
oslo-log 4.3.0 depends on oslo.i18n>=3.20.0

Change-Id: I20a5a20b94ffd27ea34f23ac89ca2826eb548b1a

This fix the below warning for DeprecatedRule:

Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.

Andf suppress the policy deprecation and default change warnings

Oslo policy log warnings if defaults for policies are changed.
With new RBAC change every policy rules' default is changed,
which end up lot of warnings in logs. We can suppress these for now
until we are enforcing new defaults.

- https://zuul.opendev.org/t/openstack/build/5cefaef6d02a4b7abe3c449491b81e68/log/job-output.txt#879

[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538

Change-Id: If481a5afc3b23d1d196ffd7576d0784a9702da59

* turn on apidocs option for individual module docs
* crosslink to information using :doc: and :ref:

Change-Id: Ie8016623251fb0f55335c64252060d4ce966dc96

Adds explicit handling of scope enforcement setting by putting
the appropriate settings in place, and handling the appropriate
configuration to communicate back with ironic based upon supplied
environment variables.

Change-Id: Ia27b26990e52b5b4ffb49b2fee3bdcca41dd75a9

A possibility exists where inspector *can* fail upon inspection if
the database connectivity was lost on a prior action. This is because
the last database transport is potentially bad and fails upon load for
the transaction. The cache can then end up with an "error" state entry,
which upon retrying can fail becasue it is already in error state

Because there really are no guarentees regarding database failures,
the best thing to do is to not trust the prior cache state if it is
in error and to reset it to starting upon new introspection requests.
This prevents operators from *having* to perform process restarts to
force all loads to be from the database unless they manage to have a
multi-inspector cluster and get another inspector node to inspect in
the mean time.

Change-Id: I04ae1d54028862642d043f3a8f3af99405863325
Story: 2008344
Task: 41246
Related: rhbz#1947147

SQLAlchemy 1.3.19 change the excepted exception and 1.4.x
changed the enum checking behavior such that we were no
longer raising an exception matching the check.

While we had a test for this, We didn't actually
check for it anywhere in the code. And the states are
driven by the code, so the underlying test that was broken
felt redundant. As such, it has been removed.

Change-Id: I39fa3d85978555b6cb9d0884a90625b4765bac28

It can cause problems, as if a single sync fails, FSM state will be
reset and not put back to initialized state until inspector restart.

Change-Id: I24b08612c4ffc6aca60ca08f3ff5cc769c7c041d
Story: #2008971
Task: #42611

* Emphasise that order matters.
* Make order of LLDP-related hooks the recommended one.
* Fix some related wording.
* Mention IPA param requirements already in lldp_basic hook.

Change-Id: I043fdd5b5582971e43211c9a860d6b28ca73dc4e

Change-Id: I9bcdda75b16e83b6d2246448d38b83e37ecf2750

The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23

Change-Id: I143ef78dec2ffff6b1c309036d50533591c20171

Setuptools v54.1.0 introduces a warning that the use of dash-separated
options in 'setup.cfg' will not be supported in a future version [1].
Get ahead of the issue by replacing the dashes with underscores. Without
this, we see 'UserWarning' messages like the following on new enough
versions of setuptools:

  UserWarning: Usage of dash-separated 'description-file' will not be
  supported in future versions. Please use the underscore name
  'description_file' instead

[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb

Change-Id: I8aa117a2ab38af4a82abfdd65e9dac103827ffbb