[WIP] Minimum change to support inspection without inspector

A lot more clean-up is possible, but this change allows testing
the new approach already.

Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>

ironic-config/httpd-ironic-api.conf.j2

@@ -79,7 +79,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
  Require all granted
  </Location>
 
- <Location ~ "^/(v1/)?(lookup|heartbeat)" >
+ <Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
  Require all granted
  </Location>
 </VirtualHost>

ironic-config/ironic.conf.j2

@@ -2,15 +2,19 @@
 auth_strategy = noauth
 debug = true
 default_deploy_interface = direct
+{% if env.USE_IRONIC_INSPECTOR == "true" %}
 default_inspect_interface = inspector
+{% else %}
+default_inspect_interface = agent
+{% endif %}
 default_network_interface = noop
 enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
 enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,ibmc,manual-management,ilo,ilo5
-enabled_inspect_interfaces = inspector,idrac,irmc,fake,redfish,ilo
+enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector,{% endif %}agent,idrac,irmc,fake,redfish,ilo
 enabled_management_interfaces = ipmitool,idrac,irmc,fake,redfish,idrac-redfish,ibmc,ilo,ilo5,noop
 enabled_power_interfaces = ipmitool,idrac,irmc,fake,redfish,idrac-redfish,ibmc,ilo
 enabled_raid_interfaces = no-raid,irmc,agent,fake,ibmc,idrac-wsman,redfish,idrac-redfish,ilo5
@@ -133,19 +137,26 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
 dhcp_provider = none
 
 [inspector]
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
 power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
-{% endif %}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
 extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
+
+{% if env.USE_IRONIC_INSPECTOR == "true" %}
+endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
+{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
+insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
+{% endif %}
 {% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
 callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
 {% endif %}
+{% else %}
+hooks = $default_hooks,parse-lldp
+add_ports = all
+keep_ports = present
+{% endif %}
 
 [ipmi]
 # use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -212,7 +223,7 @@ kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
 enable_netboot_fallback = true
-# Enable the fallback path to ironic-inspector
+# Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 
 [redfish]

scripts/configure-ironic.sh

@@ -93,7 +93,9 @@ configure_json_rpc_auth
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 
-configure_client_basic_auth ironic-inspector
+if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
+ configure_client_basic_auth ironic-inspector
+fi
 configure_client_basic_auth ironic-rpc
 
 # Make sure ironic traffic bypasses any proxies

scripts/ironic-common.sh

@@ -100,3 +100,12 @@ export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
 
 export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
 export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
+
+# If this is false, built-in inspection is used.
+# FIXME(dtantsur): TEST ONLY, FLIP TO true BEFORE MERGING!!
+export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-false}
+export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
+if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
+ echo "Discovery is only supported with ironic-inspector at this point"
+ exit 1
+fi

scripts/runhttpd

@@ -33,7 +33,12 @@ chmod 0777 /shared/html
 
 IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
 
-INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
+if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
+ INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
+else
+ INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
+fi
+
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
  INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
 fi
@@ -47,7 +52,7 @@ mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example
 # Render the core httpd config
 render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
 
-if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
+if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
  if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
  render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
  fi

scripts/runironic-inspector

@@ -14,6 +14,11 @@ export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 
+# if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
+# echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
+# exit 1
+# fi
+
 wait_for_interface_or_ip
 
 IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}