Update Ironic Inspector for Metal Deployments

This patchset aims to correct some design limitations with the current
ironic-inspector deploy process.

- a new ironic-inspector-dnsmasq service has been created to split
inspector-specific dnsmasq configuration out of the base dnsmasq
config files
- PXE/iPXE and UEFI support for ironic-inspector boot
- (todo) documentation improvements and diagrams

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823426
Change-Id: Ib5cbb28f97dd7421bfecb815def89305f3b1da33
This commit is contained in:
James Denton 2021-12-12 23:45:00 +00:00 committed by James Denton
parent 52a014c56f
commit f7e6cc04cf
9 changed files with 123 additions and 54 deletions

View File

@ -79,6 +79,18 @@ ironic_services:
service_name: ironic-inspector
init_config_overrides: "{{ ironic_inspector_init_config_overrides }}"
execstarts: "{{ ironic_bin }}/ironic-inspector"
ironic-inspector-dnsmasq:
group: ironic_inspector
service_name: ironic-inspector-dnsmasq
service_type: forking
systemd_user_name: root
systemd_group_name: root
init_config_overrides: "{{ ironic_inspector_dnsmasq_init_config_overrides }}"
execstarts: "/usr/sbin/dnsmasq --conf-file=/etc/ironic-inspector/inspector-dnsmasq.conf"
after_targets:
- openvswitch.service
- network.target
state: stopped
ironic_service_name: ironic
ironic_service_type: baremetal
@ -356,13 +368,14 @@ ironic_inspector_pxe_boot_mode: "{{ ironic_inspector_boot_mode }}"
ironic_inspector_httpboot_dir: /httpboot
ironic_inspector_tftpboot_dir: "{{ ironic_tftpd_root }}"
ironic_inspector_dhcp_interface: br-ironic
ironic_inspector_dhcp_interface: br-bmaas
ironic_inspector_valid_interfaces: internal,public
### Config Overrides
ironic_inspector_conf_overrides: {}
ironic_inspector_rootwrap_conf_overrides: {}
ironic_inspector_init_config_overrides: {}
ironic_inspector_dnsmasq_init_config_overrides: {}
# pxe boot
ironic_inspector_pxe_append_params: "ipa-debug=1 systemd.journald.forward_to_console=yes" #ipa-inspection-collectors=default,logs,extra_hardware
@ -397,3 +410,12 @@ ironic_inspector_oslomsg_amqp1_enabled: True
ironic_inspector_ipa_initrd_name: ironic-deploy.initrd
ironic_inspector_ipa_kernel_name: ironic-deploy.kernel
# The URLs defined here provide the location to the kernel and ramdisk used
# for booting via ironic-inspector. The integrated Ironic Python Agent may
# not be backwards compatible, so the version listed should match the
# deployed cloud.
ironic_deploy_ramdisk_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.initramfs
ironic_deploy_ramdisk_sha_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.initramfs.sha256
ironic_deploy_kernel_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.kernel
ironic_deploy_kernel_sha_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.kernel.sha256

View File

@ -46,9 +46,9 @@
state: restarted
failed_when: false
- name: Restart dnsmasq
- name: Restart ironic-inspector-dnsmasq
service:
name: "dnsmasq"
name: "ironic-inspector-dnsmasq"
state: restarted
failed_when: false

View File

@ -13,51 +13,32 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Copy in dhcp config file
template:
src: "dhcpd.conf.j2"
dest: "/etc/dhcp/dhcpd.conf"
notify:
- Restart isc-dhcp-server
- name: Ensure except lo dnsmasq setting
lineinfile:
path: /etc/default/dnsmasq
state: present
line: 'DNSMASQ_EXCEPT=lo'
when: ansible_facts['os_family'] == 'Debian'
notify:
- Restart dnsmasq
- name: Uncomment IGNORE_RESOLVCONF line
lineinfile:
path: /etc/default/dnsmasq
state: present
regexp: '^#IGNORE_RESOLVCONF=.*'
line: 'IGNORE_RESOLVCONF=yes'
backrefs: yes
when: ansible_facts['os_family'] == 'Debian'
notify:
- Restart dnsmasq
- name: Copy in dnsmqsq config file
template:
src: "dnsmasq.conf.j2"
dest: "/etc/dnsmasq.d/inspector-dnsmasq.conf"
notify:
- Restart dnsmasq
- name: Default pxelinux.0 config
template:
src: pxelinux-default.j2
dest: "{{ ironic_inspector_tftpboot_dir }}/pxelinux.cfg/default"
- name: Create directories
file:
path: "{{ item }}"
state: directory
- name: Copy Inspector iPXE Configuration
template:
src: inspector.ipxe.j2
dest: "{{ ironic_http_root }}/inspector.ipxe"
owner: "{{ ironic_system_user_name }}"
group: "{{ ironic_system_group_name }}"
mode: "0755"
with_items:
- /etc/dnsmasq.d/dhcp-hostsdir
- name: Download IPA Kernel Image
get_url:
url: "{{ ironic_deploy_kernel_url }}"
dest: "/httpboot/{{ ironic_inspector_ipa_kernel_name }}"
checksum: "sha256:{{ ironic_deploy_kernel_sha_url }}"
owner: "{{ ironic_system_user_name }}"
group: "{{ ironic_system_group_name }}"
mode: '0644'
- name: Download IPA Ramdisk Image
get_url:
url: "{{ ironic_deploy_ramdisk_url }}"
dest: "/httpboot/{{ ironic_inspector_ipa_initrd_name }}"
checksum: "sha256:{{ ironic_deploy_ramdisk_sha_url }}"
owner: "{{ ironic_system_user_name }}"
group: "{{ ironic_system_group_name }}"
mode: '0644'

View File

@ -0,0 +1,42 @@
---
# Copyright 2021, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Copy in dhcp config file
template:
src: "dhcpd.conf.j2"
dest: "/etc/dhcp/dhcpd.conf"
notify:
- Restart isc-dhcp-server
- name: Copy in dnsmasq config file
template:
src: "dnsmasq.conf.j2"
dest: "/etc/ironic-inspector/inspector-dnsmasq.conf"
owner: "{{ ironic_system_user_name }}"
group: "{{ ironic_system_group_name }}"
mode: "0640"
notify:
- Restart ironic-inspector-dnsmasq
- name: Create directories
file:
path: "{{ item }}"
state: directory
owner: "{{ ironic_system_user_name }}"
group: "{{ ironic_system_group_name }}"
mode: "0755"
with_items:
- /etc/ironic-inspector/dhcp-hostsdir
- /var/lib/ironic-inspector/

View File

@ -121,6 +121,11 @@
tags:
- ironic-config
- import_tasks: ironic_inspector_pre_install.yml
when: inventory_hostname in groups['ironic_inspector']
tags:
- ironic-inspector
- name: Run the systemd service role
import_role:
name: systemd_service
@ -155,6 +160,6 @@
- ironic-config
- import_tasks: ironic_inspector_post_install.yml
when: "{{ inventory_hostname in groups['ironic_inspector'] }}"
when: inventory_hostname in groups['ironic_inspector']
tags:
- ironic-inspector

View File

@ -1,15 +1,24 @@
port=15553
bind-interfaces
interface={{ ironic_inspector_dhcp_interface }}
listen-address={{ ironic_inspector_dhcp_address }}
dhcp-range={{ ironic_inspector_dhcp_pool_range | regex_replace(' ', ',') }}
tftp-root={{ ironic_inspector_tftpboot_dir }}
dhcp-option=3,{{ ironic_inspector_dhcp_gateway }}
dhcp-option=6,{{ ironic_inspector_dhcp_nameservers }}
dhcp-match=ipxe,175
dhcp-match=set:efi,option:client-arch,7
listen-address={{ ironic_inspector_dhcp_address }}
dhcp-match=set:efi,option:client-arch,9
dhcp-match=set:efi,option:client-arch,11
# OLD, but keep
#dhcp-boot=pxelinux.0,localhost.localdomain,{{ ironic_tftp_server_address }}
# Client is already running iPXE; move to next stage of chainloading
dhcp-boot=tag:ipxe,{{ ironic_http_url }}/inspector.ipxe
# Client is PXE booting over EFI without iPXE ROM,
# send EFI version of iPXE chainloader
dhcp-boot=tag:efi,tag:!ipxe,ipxe.efi
dhcp-boot=pxelinux.0,localhost.localdomain,{{ ironic_tftp_server_address }}
conf-dir=/etc/dnsmasq.d/,*.conf
dhcp-hostsdir=/etc/dnsmasq.d/dhcp-hostsdir
# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
dhcp-boot=undionly.kpxe,localhost.localdomain,{{ ironic_tftp_server_address }}
dhcp-hostsdir=/etc/ironic-inspector/dhcp-hostsdir
dhcp-leasefile=/var/lib/ironic-inspector/inspector-dnsmasq.leases
dhcp-sequential-ip

View File

@ -28,16 +28,16 @@ enroll_node_driver = ipmi
[dnsmasq_pxe_filter]
{% if ironic_inspector_pxe_filter == "dnsmasq" %}
dhcp_hostsdir = /etc/dnsmasq.d/dhcp-hostsdir
dnsmasq_start_command = systemctl start dnsmasq
dnsmasq_stop_command = systemctl stop dnsmasq
dhcp_hostsdir = /etc/ironic-inspector/dhcp-hostsdir
dnsmasq_start_command = systemctl start ironic-inspector-dnsmasq
dnsmasq_stop_command = systemctl stop ironic-inspector-dnsmasq
{% endif %}
[iptables]
{% if ironic_inspector_pxe_filter == "iptables" %}
manage_firewall = True
{% endif %}
dnsmasq_interface = br-ironic
dnsmasq_interface = {{ ironic_inspector_dhcp_interface }}
[ironic]
username = ironic

View File

@ -0,0 +1,10 @@
#!ipxe
:retry_dhcp
dhcp || goto retry_dhcp
:retry_boot
imgfree
kernel --timeout 30000 {{ ironic_http_url }}/{{ ironic_inspector_ipa_kernel_name }} ipa-inspection-callback-url={{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd={{ ironic_inspector_ipa_initrd_name }} || goto retry_boot
initrd --timeout 30000 {{ ironic_http_url }}/{{ ironic_inspector_ipa_initrd_name }} || goto retry_boot
boot

View File

@ -2,7 +2,7 @@ default inspect
label inspect
kernel {{ ironic_inspector_ipa_kernel_name }}
append initrd={{ ironic_inspector_ipa_initrd_name }} ipa-inspection-callback-url=http://{{ internal_lb_vip_address }}:5050/v1/continue nomodeset vga=normal console=tty0 console=ttyS0,115200n8 {{ ironic_inspector_pxe_append_params | default('') }}
append initrd={{ ironic_inspector_ipa_initrd_name }} ipa-inspection-callback-url={{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}/v1/continue nomodeset vga=normal console=tty0 console=ttyS0,115200n8 {{ ironic_inspector_pxe_append_params | default('') }}
ipappend 3