From 68a41a97d17a8f908da2a1da80f3fa48ebed1c03 Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Sat, 19 Dec 2015 21:01:05 -0500 Subject: [PATCH] PXE Driver substrate support Previously support for PXE drivers was incomplete as the underlying iSCSI client and sudoers configuration was not present which prevented ironic from leverating the drivers unless the user put the substrate into place independently of bifrost. Updated installation and configuration steps to put support into place. Change-Id: If8de1042ad304d56f2c9a8d9ef6a3c5531c44081 Closes-Bug: #1525082 --- .../roles/bifrost-ironic-install/README.md | 7 +++ .../bifrost-ironic-install/defaults/main.yml | 1 + .../required_defaults_Debian_family.yml | 1 + .../required_defaults_RedHat_family.yml | 1 + .../tasks/ironic_config.yml | 8 ++- .../bifrost-ironic-install/tasks/main.yml | 49 +++++++++++++++++-- .../pxe-driver-support-e2d8a769bf910dbc.yaml | 26 ++++++++++ 7 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/pxe-driver-support-e2d8a769bf910dbc.yaml diff --git a/playbooks/roles/bifrost-ironic-install/README.md b/playbooks/roles/bifrost-ironic-install/README.md index 67bc611c4..c649e75e0 100644 --- a/playbooks/roles/bifrost-ironic-install/README.md +++ b/playbooks/roles/bifrost-ironic-install/README.md @@ -85,6 +85,13 @@ When testing, the default ironic conductor driver is "agent_ssh". When testing mode has not been engaged, drivers can be set via the enabled_drivers variable which defaults to: "agent_ipmitool,pxe_amt,agent_ilo,agent_ucs" +By default, PXE driver baseline support, in terms of installation of the +iSCSI client and configuration of sudoers and rootwrap configuration is +enabled. If you wish to disable this functionality, set ``pxe_drivers`` +to a value of ``false``. + +pxe_drivers: false + In the event of an external DHCP server being used, the user will need to configure their DHCP server such that PXE, and iPXE chain loading occurs. For additional information for setting up DHCP in this scenario refer to diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 770c31d74..3d8303712 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -89,3 +89,4 @@ inspector_port_addition: "pxe" # Note: inspector_keep_ports has three valid values: all, present, added inspector_keep_ports: "present" +pxe_drivers: true diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml index e8cd0f910..5e356ce5f 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml @@ -43,3 +43,4 @@ required_packages: # package list as the installation causes name resolution changes that can # temporarily block packages following it while the system is being # reconfigured. See: https://review.openstack.org/#/c/223813 +iscsi_client_package: "open-iscsi" diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml index 53a96ac9e..3c87f960d 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml @@ -39,3 +39,4 @@ required_packages: # NOTE(cinerama): amtterm is not currently packaged for RHEL/CentOS 7. - libvirt-daemon - debootstrap +iscsi_client_package: "iscsi-initiator-utils" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml b/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml index d7edeb817..ad2ed7944 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml @@ -29,7 +29,7 @@ dest=/etc/ironic/ironic.conf insertafter="[DEFAULT]" regexp='^(.*)enabled_drivers=(.*)$' - line="enabled_drivers=agent_ssh" + line="enabled_drivers=agent_ssh,pxe_ssh" when: testing | bool == true - name: "If not testing, set driver list" lineinfile: @@ -177,3 +177,9 @@ regexp='(^#|^)enabled( |)=(.*)$' line="enabled = True" when: enable_inspector | bool +- name: "Set sudoers for PXE driver support if enabled" + lineinfile: + dest: /etc/sudoers + regexp: '^ironic(.*)/etc/ironic/rootwrap.conf(.*)' + line: "ironic ALL = (root) NOPASSWD: /usr/local/bin/ironic-rootwrap /etc/ironic/rootwrap.conf *" + when: pxe_drivers | bool == true diff --git a/playbooks/roles/bifrost-ironic-install/tasks/main.yml b/playbooks/roles/bifrost-ironic-install/tasks/main.yml index 86850b8cb..87471d66b 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/main.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/main.yml @@ -64,6 +64,11 @@ package=UcsSdk version=0.8.1.9 when: skip_install is not defined and testing | bool != true +- name: "Install iSCSI client if PXE driver support is enabled" + package: + name: "{{ iscsi_client_package }}" + state: present + when: skip_install is not defined and pxe_drivers | bool == true - name: "Shade - Install" include: pip_install.yml package=shade @@ -118,11 +123,39 @@ source_install=true when: skip_install is not defined - name: "Create an ironic service group" - group: name=ironic + group: + name: "ironic" - name: "Create an ironic service user" - user: name=ironic group=ironic + user: + name: "ironic" + group: "ironic" - name: "Ensure /etc/ironic exists" - file: name=/etc/ironic state=directory owner=ironic group=ironic mode=0755 + file: + name: "/etc/ironic" + state: directory + owner: "ironic" + group: "ironic" + mode: 0755 +# Note(TheJulia): The rootwrap copies will need to be re-tooled +# to possibly directly retreive current files if a source install +# is not utilized. +- name: "Copy rootwrap.conf from ironic source folder" + copy: + src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.conf" + dest: "/etc/ironic/rootwrap.conf" + mode: 0644 + owner: root + group: root + when: skip_install is not defined and pxe_drivers | bool == true +- name: "Copy rootwrap.d contents from ironic source folder" + copy: + src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.d/" + dest: "/etc/ironic/rootwrap.d" + mode: 0644 + owner: root + group: root + directory_mode: yes + when: skip_install is not defined and pxe_drivers | bool == true - name: "Generate ironic Configuration" include: ironic_config.yml - name: "Copy policy.json to /etc/ironic" @@ -169,6 +202,16 @@ - name: "Get ironic-api & ironic-conductor install location" shell: echo $(dirname $(which ironic-api)) register: ironic_install_prefix +- name: "Set permissions for /var/lib/ironic for the ironic user" + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "ironic" + group: "ironic" + with_items: + - "/var/lib/ironic" + - "/var/lib/ironic/images" - name: "Place ironic services" template: src={{ init_template }} dest={{ init_dest_dir }}{{item.service_name}}{{ init_ext }} owner=root group=root with_items: diff --git a/releasenotes/notes/pxe-driver-support-e2d8a769bf910dbc.yaml b/releasenotes/notes/pxe-driver-support-e2d8a769bf910dbc.yaml new file mode 100644 index 000000000..7ec2366e6 --- /dev/null +++ b/releasenotes/notes/pxe-driver-support-e2d8a769bf910dbc.yaml @@ -0,0 +1,26 @@ +--- +features: + - Support for PXE driver substrate is now installed + which utilizes iSCSI to write the disk image to the + target node. By default, this support is enabled. +upgrade: + - PXE driver substrate support is now enabled by default. + If a user wishes to prevent this, the ``pxe_drivers`` + setting should be set to ``false``. +security: + - PXE driver support substrate has been added, however + this requires the ability for the conductor to connect + to the node being provisioned via iSCSI. As a result + sudoers configuration is updated by default to enable + ironic to initiate the iSCSI connection and apply + the image to the remote disk. As a reminder, users + should default to using agent drivers as cleaning + support does not exist in the PXE drivers. +fixes: + - PXE driver support substrate was previously incomplete + and has been revised to properly support PXE drivers. + This has been tested on Ubuntu 14.04 LTS. +issues: + - Basic testing has revealed that PXE drivers may not + result in the configurtion drive being written out + with the current configuration of bifrost.