Do not install grub2 and shim on the host system

At least on the CI nodes it causes issues with grub-pc on Debian since
the CI nodes don't have bootloader configured. Download and extract
packages instead.

To account for Kolla (which has a split between the install and the
bootstrap phases), the downloaded files are cached in /use/lib/ironic.

Change-Id: I9307366db9579b194dcb88818ed0ce2fedb4baaf

playbooks/roles/bifrost-download-packages/README.md

@@ -0,0 +1,52 @@
+bifrost-download-packages
+=========================
+
+This role downloads RPM or DEB packages in extracts them on the target system.
+
+Role Variables
+--------------
+
+`download_packages`: A list (not a string!) of packages to download.
+
+`download_dest`: Destination directory (must exist). Each package is downloaded
+                 into a subdirectory with the same name.
+
+Dependencies
+------------
+
+None at this time.
+
+Example Playbook
+----------------
+
+```
+- hosts: localhost
+  connection: local
+  become: yes
+  gather_facts: yes
+  roles:
+    - role: bifrost-download-packages
+      download_packages:
+        - python3
+      download_dest: /tmp
+```
+
+License
+-------
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Author Information
+------------------
+
+Ironic Developers

playbooks/roles/bifrost-download-packages/tasks/main.yml

@@ -0,0 +1,54 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Fail if unsupported OS family"
+  fail:
+    msg: Only Debian and RedHat families are supported for bifrost-download-packages
+  when: ansible_os_family not in ['Debian', 'RedHat']
+
+- name: "Get a string out of package list"
+  set_fact:
+    download_packages_string: "{{ download_packages | join(' ') }}"
+
+- block:
+  - name: "Download {{ download_packages_string }}"
+    command: apt-get download {{ download_packages_string }}  # noqa: command-instead-of-module
+    args:
+      chdir: "{{ download_dest }}"
+
+  - name: "Unpack {{ download_packages_string }}"
+    shell: >
+      dpkg-deb -R {{ download_dest }}/{{ item }}_*.deb {{ download_dest }}/{{ item }}
+    loop: "{{ download_packages }}"
+  when: ansible_os_family == 'Debian'
+
+- block:
+  - name: "Download {{ download_packages_string }}"
+    command: >
+      dnf download --downloaddir {{ download_dest }} {{ download_packages_string }}
+
+  - name: "Create a subdirectory for the package {{ item }}"
+    file:
+      path: "{{ download_dest }}/{{ item }}"
+      state: directory
+    loop: "{{ download_packages }}"
+
+  - name: "Unpack {{ download_packages_string }}"
+    shell: |
+      set -eo pipefail
+      rpm2cpio {{ download_dest }}/{{ item }}-*.rpm | cpio -idm
+    args:
+      chdir: "{{ download_dest }}/{{ item }}"
+      executable: /bin/bash
+    loop: "{{ download_packages }}"
+  when: ansible_os_family == 'RedHat'

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml

@@ -6,7 +6,9 @@ ironic_rootwrap_dir: /usr/local/bin/
 mysql_service_name: mysql
 tftp_service_name: tftpd-hpa
 efi_distro: "{{ ansible_facts['distribution'] | lower }}"
+grub_efi_package: grub-efi-amd64-signed
 grub_efi_binary: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
+shim_efi_package: shim-signed
 shim_efi_binary: /usr/lib/shim/shimx64.efi.signed
 required_packages:
   - mariadb-server
@@ -36,8 +38,6 @@ required_packages:
   - dnsmasq
   - apache2-utils
   - isolinux
-  - grub-efi-amd64-signed
-  - shim-signed
   - dosfstools
 # NOTE(TheJulia): The above entry for dnsmasq must be the last entry in the
 # package list as the installation causes name resolution changes that can

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml

@@ -7,7 +7,9 @@ ironic_rootwrap_dir: /usr/bin/
 mysql_service_name: mariadb
 tftp_service_name: tftp
 efi_distro: "{{ ansible_facts['distribution'] | lower }}"
+grub_efi_package: grub2-efi-x64
 grub_efi_binary: "/boot/efi/EFI/{{ efi_distro }}/grubx64.efi"
+shim_efi_package:  shim-x64
 shim_efi_binary: "/boot/efi/EFI/{{ efi_distro }}/shimx64.efi"
 required_packages:
   - mariadb-server
@@ -37,6 +39,4 @@ required_packages:
   - python3-firewall
   - httpd-tools
   - syslinux-nonlinux
-  - grub2-efi-x64
-  - shim-x64
   - dosfstools

playbooks/roles/bifrost-ironic-install/tasks/create_esp.yml

@@ -11,6 +11,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
+- name: "Set grub2 and shim paths for Debian and Red Hat systems"
+  set_fact:
+    grub_efi_source: /usr/lib/ironic/grub-efi
+    shim_efi_source: /usr/lib/ironic/shim-efi
+  when: ansible_os_family != 'Suse'
+
+- name: "Set grub2 and shim paths for Suse"
+  set_fact:
+    grub_efi_source: "{{ grub_efi_binary }}"
+    shim_efi_source: "{{ shim_efi_binary }}"
+  when: ansible_os_family == 'Suse'
+
 - name: "Create a temporary directory for mounting ESP"
   tempfile:
     state: directory
@@ -33,13 +45,13 @@
 
     - name: "Copy the shim image to ESP"
       copy:
-        src: "{{ shim_efi_binary }}"
+        src: "{{ shim_efi_source }}"
         remote_src: true
         dest: "{{ esp_temp_dir.path }}/EFI/BOOT/BOOTX64.efi"
 
     - name: "Copy the grub2 image to ESP"
       copy:
-        src: "{{ grub_efi_binary }}"
+        src: "{{ grub_efi_source }}"
         remote_src: true
         dest: "{{ esp_temp_dir.path }}/EFI/BOOT/GRUBX64.efi"
 

playbooks/roles/bifrost-ironic-install/tasks/install.yml

@@ -158,3 +158,44 @@
 - name: "Install Ironic Prometheus Exporter"
   include_tasks: prometheus_exporter_install.yml
   when: enable_prometheus_exporter | bool
+
+- name: "Create a temporary directory for unpacking grub2 and shim"
+  tempfile:
+    state: directory
+  register: efi_unpack_dir
+
+- block:
+  - name: "Create a binary cache directory"
+    file:
+      path: /usr/lib/ironic
+      state: directory
+      owner: root
+      group: root
+      mode: 0755
+
+  - name: "Download grub2 and shim binaries"
+    import_role:
+      name: bifrost-download-packages
+    vars:
+      download_packages:
+        - "{{ grub_efi_package }}"
+        - "{{ shim_efi_package }}"
+      download_dest: "{{ efi_unpack_dir.path }}"
+
+  - name: "Copy grub2 and shim into cache"
+    copy:
+      src: "{{ efi_unpack_dir.path }}/{{ item.src }}"
+      remote_src: true
+      dest: "/usr/lib/ironic/{{ item.dest }}"
+    loop:
+      - src: "{{ grub_efi_package }}/{{ grub_efi_binary }}"
+        dest: grub-efi
+      - src: "{{ shim_efi_package }}/{{ shim_efi_binary }}"
+        dest: shim-efi
+
+  when: ansible_os_family != 'Suse'
+  always:
+    - name: "Delete the temporary directory"
+      file:
+        path: "{{ efi_unpack_dir.path }}"
+        state: absent

releasenotes/notes/no-install-grub-d39d65a8edbb769e.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Bifrost no longers installs GRUB2 and shim on the host system, avoding
+    potential issues with a local bootloader.