When using nginx to terminate TLS (like it's done in Bifrost), it's more
secure to use a Unix socket for communication, so that local users
cannot access plain text communication.
Change-Id: I37b762cca035b5855deb92635c29e8eb97a87c20
Power off nodes before inspection as failed previous
inspection attempts may cause re-inspection attempts
to fail.
Change-Id: I7405420ad441428dc82360d84b75e03921031482
Story: 2008107
Task: 40820
Fixes the ironic utilities logic to parse URLs in driver_info
properly.
Also adds ``redfish_address`` to the default list of fields to
evaluate for host matching.
Previously an operator could add the field to the list, but the
matching logic would not match the URL as it did not know to
decompose the url and identify the hostname portion of the url.
Resolves: rhbz#1670336
Story: 2008010
Task: 40660
Change-Id: Ice86e9ab3efb98b649141bdf7e1e2febdc9203a8
Periodically elect a leader to do the cleanup sync with
Ironic (to avoid unnecessary calls to Ironic in a
multi-inspector setup).
Add config option 'leader_election_interval' to control
the period in which the leaders is elected.
Co-authored-by: Arne Wiebalck <arne.wiebalck@cern.ch>
Story: #2007801
Change-Id: I6f60aea41865f09f9e53e5d91b1e887f0b39efbd
Some operators simply don't need the periodic clean up sync
task as part of their ironic deployment with ironic-inspector
as they are not using the PXE filtering to manage access for
machines as part of discovery.
In these "standalone" use cases, there is typically no neutron,
and everything is managed externally from ironic-inspector.
Change-Id: I0036b2cdb7d562e90855ccabd108392f2f97c6f9
The cimc driver was removed from ironic some time ago
and as such it does not make sense to continue to include
the reference in ironic-inspector.
Change-Id: I4f226b79e66ae19402a2700160b2f0cd8f783470
When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header to be
set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic-inspector/htpasswd`` and points to a file which supports the
Apache htpasswd syntax[1]. This file is read for every request, so no
service restart is required when changes are made.
The only password digest supported is bcrypt, and the ``bcrypt``
python library is used for password checks since it supports ``$2y$``
prefixed bcrypt passwords as generated by the Apache htpasswd utility.
To try basic authentication, the following can be done:
* Set ``/etc/ironic-inspector/inspector.conf`` ``DEFAULT`` ``auth_strategy``
to ``http_basic``
* Populate the htpasswd file with entries, for example:
``htpasswd -nbB myName myPassword >> /etc/ironic-inspector/htpasswd``
* Make basic authenticated HTTP requests, for example:
``curl --user myName:myPassword http://localhost:6385/v1/introspection``
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
Change-Id: If50dfbfc18445ad9fe27e17cb0ee1b317ff25a0b
Depends-On: https://review.opendev.org/729070
Story: 2007656
Task: 39826
When boot is managed by the ironic side, a node is powered on
right after starting introspection. Inspector's own delays play
no role and may actually prevent introspectin from happening if
a node boots faster than it's whitelisted in the PXE filter.
This changes moves the delay handling later in the process and
only does it when manage_boot is True.
Change-Id: If7de8b66ea42eff2966c62a9a0529ab9a5c06f26
Story: #2007658
Task: #39745
This change adds an option to publish the endpoint via mDNS on start
up and clean it up on tear down.
Story: #2005393
Task: #30384
Change-Id: Ia9407cb065979aac6761d3e4122d3884e45b559d
I had a case when an operator set the timeout too a abnormally large
value, which caused OverflowError in the timeout clean_up task, which,
in turn, prevented ironic-inspector from ever running node list sync
with ironic.
This change makes two corrections:
* The timeout configuration is limited to 10 years (0 can still be used
to disable the timeout completely).
* Errors in the clean_up task do not prevent the node list sync from
running.
Change-Id: Ie3ad29a4abb9ac58c41b776042f80dff6a9c72d2
Story: #2004807
Task: #28963
This patch is part of inspector HA work, which wraps inspector api into
oslo service.
oslo.service has also provided support to signal processing like SIGHUP or
SIGTERM, so these code were removed in this patch.
Deprecated current SSL cert/key options used by ironic-inspector, code
manually creates ssl context were removed. These options will be fed
from [ssl] section.
Change-Id: Ia5e16fcb9104556d62c90f5507f17b41f73a5208
Story: #2001842
Task: #12609
This patch is part of work splitting inspector api and worker.
The rpc server is wrapped into oslo.service, and launched from
api process.
Now api and worker belongs to separate thread, functional tests
use the fake messaging driver, while devstack jobs use rabbitmq.
Change-Id: Ie03d16f9d115c3561723463dea6a57d2a763bcc6
Story: #2001842
Task: #23109
[DEFAULT]node_status_keep_time is deprecated long ago [1], this
patch removes it so that inspector will not automatically remove
node status in regards to configuration option.
This also make sense when we use other store backends in the
future.
Change-Id: I8261ce115fdb03ffcfe3a1cc4ca7c8ec747be832
Related-Bug: #1695858
Adds a new node field "manage_boot" to store this value. When it is set
to False, neither boot device nor power state are touched for this node.
Instead, we expect a 3rd party to handle them.
We still manage the PXE filter because the node may need DHCP.
Change-Id: Id3585bd32138a069dfcfc0ab04ee4f5f10f0a5ea
Story: #1528920
Task: #11338
Consolidate all config options under ``conf`` directory.
New config modules should give a better picture of the configuration
options provided by the inspector.
Change-Id: I501ed0787ff4e1d91462f936e1a54de2c7abb35c
Related-Bug: #1561100
Co-Authored-By: Anton Arefiev <aarefiev@mirantis.com>
Dmitry Tantsur