Merge pull request metal3-io#443 from dtantsur/sync

NO-ISSUE: Merge from metal3-io/ironic-image (33275f5)

Dockerfile.fcos

@@ -30,7 +30,7 @@ COPY scripts/* /bin/
 COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 /tmp/
+COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 ironic-config/ipxe_config.template /tmp/
 
 # DNSMASQ #
 COPY ironic-config/dnsmasq.conf.j2 /etc/
@@ -40,6 +40,7 @@ COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
 
 RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
  sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \

Dockerfile.ocp

@@ -25,7 +25,7 @@ COPY scripts/* /bin/
 COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 /tmp/
+COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 ironic-config/ipxe_config.template /tmp/
 
 # DNSMASQ #
 COPY ironic-config/dnsmasq.conf.j2 /etc/
@@ -35,6 +35,7 @@ COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
 
 RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
  sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \

Dockerfile.scos

@@ -30,7 +30,7 @@ COPY scripts/* /bin/
 COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 /tmp/
+COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 ironic-config/ipxe_config.template /tmp/
 
 # DNSMASQ #
 COPY ironic-config/dnsmasq.conf.j2 /etc/
@@ -40,6 +40,7 @@ COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
 
 RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
  sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \

README.md

@@ -3,9 +3,6 @@ Metal3 Ironic Container
 
 This repo contains the files needed to build the Ironic images used by Metal3.
 
-Description
------------
-
 ## Description
 
 When updated, builds are automatically triggered on
@@ -76,6 +73,9 @@ functionality:
  inspection. (default `default,logs`)
 - `HTTPD_ENABLE_SENDFILE` - Whether to activate the EnableSendfile apache
  directive for httpd `(default, false)`
+- `IRONIC_CONDUCTOR_HOST` - Host name of the current conductor (only makes
+ sense to change for a multinode setup). Defaults to the IP address used
+ for provisioning.
 
 The ironic configuration can be overridden by various environment variables.
 The following can serve as an example:
@@ -86,4 +86,4 @@ The following can serve as an example:
  inspection
 - `OS_CONDUCTOR__CLEAN_CALLBACK_TIMEOUT=1800` - timeout (seconds) to wait for a
  callback from the ramdisk doing the cleaning
-- `OS_PXE__BOOT_RETRY_TIMEOUT=1200` - timeout (seconds) to enable boot retries.
+- `OS_PXE__BOOT_RETRY_TIMEOUT=1200` - timeout (seconds) to enable boot retries.

configure-nonroot.sh

@@ -16,12 +16,16 @@ IRONIC_USER="ironic"
 IRONIC_GROUP="ironic"
 INSPECTOR_GROUP="ironic-inspector"
 
+# most containers mount /shared but dnsmasq can live without it
+mkdir -p /shared
+chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /shared
+
 # we'll bind mount shared ca and ironic/inspector certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
-mkdir -p /certs
-chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /certs
-chmod 2775 /certs
+mkdir -p /certs/ca
+chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /certs{,/ca}
+chmod 2775 /certs{,/ca}
 
 # ironic, inspector and httpd related changes
 chown -R root:"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d

ironic-config/apache2-ipxe.conf.j2

@@ -0,0 +1,35 @@
+Listen {{ env.IPXE_TLS_PORT }}
+
+<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
+ ErrorLog /dev/stderr
+ LogLevel debug
+ CustomLog /dev/stdout combined
+
+ SSLEngine on
+ SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
+ SSLCertificateFile {{ env.IPXE_CERT_FILE }}
+ SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
+
+ <Directory "/shared/html">
+ Order Allow,Deny
+ Allow from all
+ </Directory>
+ <Directory "/shared/html/(redfish|ilo|images)/">
+ Order Deny,Allow
+ Deny from all
+ </Directory>
+</VirtualHost>
+
+<Location ~ "^/grub.*/">
+ SSLRequireSSL
+</Location>
+<Location ~ "^/pxelinux.cfg/">
+ SSLRequireSSL
+</Location>
+<Location ~ "^/.*\.conf/">
+ SSLRequireSSL
+</Location>
+<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
+ SSLRequireSSL
+</Location>
+

ironic-config/dnsmasq.conf.j2

@@ -29,14 +29,24 @@ dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["D
 # IPv4 Configuration:
 dhcp-match=ipxe,175
 # Client is already running iPXE; move to next stage of chainloading
+{%- if env.IPXE_TLS_SETUP == "true" %}
+# iPXE with (U)EFI
+dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
+# iPXE with BIOS
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
+{% else %}
 dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
+{% endif %}
 
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi_arm,option:client-arch,11
 
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader for x86
+# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
+{%- if env.IPXE_TLS_SETUP == "true" %}
+dhcp-boot=tag:efi,tag:ipxe,snponly.efi
+{% endif %}
 dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
 
 # Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader for aarch64

ironic-config/httpd-ironic-api.conf.j2

@@ -79,7 +79,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
  Require all granted
  </Location>
 
- <Location ~ "^/(v1/)?(lookup|heartbeat)" >
+ <Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
  Require all granted
  </Location>
 </VirtualHost>

ironic-config/ipxe_config.template

@@ -0,0 +1,81 @@
+#!ipxe
+
+set attempts:int32 10
+set i:int32 0
+
+goto deploy
+
+:deploy
+imgfree
+{%- if pxe_options.deployment_aki_path %}
+{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
+{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
+{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
+{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
+{%- endif %}
+{%- if pxe_options.deployment_ari_path %}
+{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
+{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
+{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
+{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
+{%- endif %}
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
+
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
+boot
+
+:retry
+iseq ${i} ${attempts} && goto fail ||
+inc i
+echo No response, retrying in ${i} seconds.
+sleep ${i}
+goto deploy
+
+:fail
+echo Failed to get a response after ${attempts} attempts
+echo Powering off in 30 seconds.
+sleep 30
+poweroff
+
+:boot_anaconda
+imgfree
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
+boot
+
+:boot_ramdisk
+imgfree
+{%- if pxe_options.boot_iso_url %}
+sanboot {{ pxe_options.boot_iso_url }}
+{%- else %}
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
+boot
+{%- endif %}
+
+{%- if pxe_options.boot_from_volume %}
+
+:boot_iscsi
+imgfree
+{% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
+{% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
+{% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
+sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
+{%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
+set username {{ volume.username }}
+set password {{ volume.password }}
+{%- set drive_id = 129 + i %}
+sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
+{%- endfor %}{% endif %}
+{% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
+{% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
+sanboot --no-describe || goto fail_iscsi_retry
+
+:fail_iscsi_retry
+echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
+sleep 10
+goto boot_iscsi
+{%- endif %}
+
+:boot_whole_disk
+sanboot --no-describe || exit 0

ironic-config/ironic.conf.j2

@@ -7,19 +7,19 @@ auth_strategy = noauth
 {% endif %}
 debug = true
 default_deploy_interface = direct
-default_inspect_interface = inspector
+default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
 default_network_interface = noop
 enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
 enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
-enabled_inspect_interfaces = inspector,idrac,irmc,fake,redfish,ilo
-enabled_management_interfaces = ipmitool,idrac,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
-enabled_power_interfaces = ipmitool,idrac,irmc,fake,redfish,idrac-redfish,ilo
-enabled_raid_interfaces = no-raid,irmc,agent,fake,ibmc,idrac-wsman,redfish,idrac-redfish,ilo5
-enabled_vendor_interfaces = no-vendor,ipmitool,idrac,idrac-redfish,redfish,ilo,fake
+enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
+enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
+enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
+enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
 enabled_firmware_interfaces = no-firmware,fake,redfish
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
@@ -36,7 +36,7 @@ my_ip = {{ env.IRONIC_IP }}
 # If we run both API and conductor in the same pod, use localhost
 host = localhost
 {% else %}
-host = {{ env.IRONIC_URL_HOST }}
+host = {{ env.IRONIC_CONDUCTOR_HOST }}
 {% endif %}
 
 # If a path to a certificate is defined, use that first for webserver
@@ -103,6 +103,12 @@ verify_step_priority_override = management.clear_job_queue:90
 node_history = False
 # Provide for a timeout longer than 60 seconds for certain vendor's hardware
 power_state_change_timeout = 120
+{% if env.IRONIC_DEFAULT_KERNEL is defined %}
+deploy_kernel = file://{{ env.IRONIC_DEFAULT_KERNEL }}
+{% endif %}
+{% if env.IRONIC_DEFAULT_RAMDISK is defined %}
+deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
+{% endif %}
 
 [database]
 {% if env.IRONIC_USE_MARIADB | lower == "false" %}
@@ -138,19 +144,26 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
 dhcp_provider = none
 
 [inspector]
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
 power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
-{% endif %}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
 extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
+
+{% if env.USE_IRONIC_INSPECTOR == "true" %}
+endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
+{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
+insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
+{% endif %}
 {% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
 callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
 {% endif %}
+{% else %}
+hooks = $default_hooks,parse-lldp
+add_ports = all
+keep_ports = present
+{% endif %}
 
 [ipmi]
 # use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -199,6 +212,9 @@ insecure = {{ env.IRONIC_INSECURE }}
 {% endif %}
 {% endif %}
 
+[nova]
+send_power_notifications = false
+
 [oslo_messaging_notifications]
 driver = prometheus_exporter
 location = /shared/ironic_prometheus_exporter
@@ -218,8 +234,11 @@ kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
 enable_netboot_fallback = true
-# Enable the fallback path to ironic-inspector
+# Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
+{% if env.IPXE_TLS_SETUP | lower == "true" %}
+ipxe_config_template = /tmp/ipxe_config.template
+{% endif %}
 
 [redfish]
 use_swift = false