Configure the new inspection implementation

The ironic-inspector one is still the default at this point. Change-Id: I431ced6496ca6dac078a240f653afd33256048f6
2023-09-29 12:37:36 +02:00 · 2023-09-29 12:37:36 +02:00 · ea0b4ec50b
parent 77898f7da3
commit ea0b4ec50b
12 changed files with 72 additions and 11 deletions
--- a/doc/source/user/architecture.rst
+++ b/doc/source/user/architecture.rst
@ -17,7 +17,8 @@ ironic-inspector_
    Inspector is an auxiliary service that provides `in-band inspection`_.
    Its `introspection API`_ is served on TCP port 5050.

-    Inspector can be disabled by setting ``enable_inspector=false``.
+    Inspector can be disabled by setting ``enable_inspector=false``. In this
+    case, Ironic's `native in-band inspection`_ will be used.

 mariadb_
    MariaDB is used as a database to persistently store information.
@ -194,8 +195,9 @@ Runtime locations
 .. _ironic: https://docs.openstack.org/ironic/latest/
 .. _bare metal API: https://docs.openstack.org/api-ref/baremetal/
 .. _ironic-inspector: https://docs.openstack.org/ironic-inspector/latest/
-.. _in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection.html#in-band-inspection
+.. _in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection/inspector.html
 .. _introspection API: https://docs.openstack.org/api-ref/baremetal-introspection/
+.. _native in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection/index.html
 .. _mariadb: https://mariadb.org/
 .. _nginx: https://nginx.org/
 .. _dnsmasq: https://dnsmasq.org/
--- a/playbooks/ci/run.yaml
+++ b/playbooks/ci/run.yaml
@ -23,3 +23,4 @@
        ENABLE_TLS: "{{ enable_tls | default(false) | bool | lower }}"
        ENABLE_PROMETHEUS_EXPORTER: "{{ enable_prometheus_exporter | default(false) | bool | lower }}"
        USE_VMEDIA: "{{ use_vmedia | default(false) | bool | lower }}"
+        USE_INSPECTOR: "{{ use_inspector | default(true) | bool | lower }}"
--- a/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
@ -201,4 +201,10 @@
    owner: ironic
    group: ironic
    mode: "0644"
-  when: enable_inspector | bool
+  vars:
+    inspection_callback_url: >-
+      {% if enable_inspector | bool %}
+      {{ api_protocol }}://{{ internal_ip }}:5050/v1/continue
+      {% else %}
+      {{ api_protocol }}://{{ internal_ip }}:6385/v1/continue_inspection
+      {% endif %}
--- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_start.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_start.yml
@ -18,3 +18,18 @@
    name: ironic-inspector
    state: restarted
    enabled: yes
+  when: enable_inspector | bool
+
+- name: "Stop inspector if it is disabled"
+  service:
+    name: ironic-inspector
+    state: stopped
+    enabled: no
+  ignore_errors: true
+  when: not enable_inspector | bool
+
+- name: "Remove inspector if it is disabled"
+  file:
+    path: "{{ init_dest_dir }}ironic-inspector.service"
+    state: absent
+  when: not enable_inspector | bool
--- a/playbooks/roles/bifrost-ironic-install/tasks/start.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/start.yml
@ -31,9 +31,8 @@
    state: started
    enabled: yes

- name: "Start ironic-inspector"
+- name: "Start/stop ironic-inspector"
  include_tasks: inspector_start.yml
-  when: enable_inspector | bool

 - name: "Stop old ironic services"
  service:
--- a/playbooks/roles/bifrost-ironic-install/templates/inspector-default-boot-ipxe.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/inspector-default-boot-ipxe.j2
@ -5,6 +5,6 @@ dhcp || reboot
 goto introspect

 :introspect
-kernel {{ ipa_kernel_url }} ipa-inspection-callback-url={{ api_protocol }}://{{ internal_ip }}:5050/v1/continue {% if fast_track | bool %}ipa-api-url={{ api_protocol }}://{{ internal_ip }}:6385{% endif %} systemd.journald.forward_to_console=yes BOOTIF=${mac} nofb nomodeset vga=normal {% if testing | bool %}console=ttyS0{% endif %} {{ inspector_extra_kernel_options | default('') }} ipa-insecure=1 {% if inspector_debug | bool %}ipa-debug=1{% endif %} initrd={{ ipa_ramdisk_url | basename }}
+kernel {{ ipa_kernel_url }} ipa-inspection-callback-url={{ inspection_callback_url }} {% if fast_track | bool %}ipa-api-url={{ api_protocol }}://{{ internal_ip }}:6385{% endif %} systemd.journald.forward_to_console=yes BOOTIF=${mac} nofb nomodeset vga=normal {% if testing | bool %}console=ttyS0{% endif %} {{ inspector_extra_kernel_options | default('') }} ipa-insecure=1 {% if inspector_debug | bool %}ipa-debug=1{% endif %} initrd={{ ipa_ramdisk_url | basename }}
 initrd {{ ipa_ramdisk_url }}
 boot
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
@ -8,8 +8,11 @@ debug = {{ ironic_debug | bool }}
 enabled_network_interfaces = noop
 default_deploy_interface = {{ default_deploy_interface }}
 {% if enable_inspector | bool == true %}
-enabled_inspect_interfaces = no-inspect,inspector
+enabled_inspect_interfaces = no-inspect,inspector,agent
 default_inspect_interface = inspector
+{% else %}
+enabled_inspect_interfaces = no-inspect,agent
+default_inspect_interface = agent
 {% endif %}
 enabled_bios_interfaces = {{ enabled_bios_interfaces }}
 enabled_boot_interfaces = {{ enabled_boot_interfaces }}
@ -147,11 +150,13 @@ kernel_append_params = {{ ilo_kernel_params }}
 use_swift = False
 kernel_append_params = {{ redfish_kernel_params }}

-{% if enable_inspector | bool == true %}
 [inspector]
 power_off = {{ power_off_after_inspection }}
 extra_kernel_params = {{ inspector_extra_kernel_options | default('') }}
 require_managed_boot = False
+add_ports = {{ inspector_port_addition | default('pxe') }}
+keep_ports = {{ inspector_keep_ports | default('present') }}
+{% if enable_inspector | bool %}
 {% if enable_keystone | bool %}
 auth_type = password
 auth_url = {{ ironic.service_catalog.auth_url }}
--- a/playbooks/roles/bifrost-test-inspection/tasks/main.yml
+++ b/playbooks/roles/bifrost-test-inspection/tasks/main.yml
@ -13,12 +13,11 @@
 # limitations under the License.
 ---
 - name: Check node hardware inspection data
-  command: "baremetal introspection data save {{ uuid }}"
+  command: "baremetal node inventory save {{ uuid }}"
  register: inspection_data
  environment:
    OS_CLOUD: bifrost

-# TODO(mgoddard): More validation of data format and contents.
 - name: Validate the inspection data format
  assert:
    that:
--- a/releasenotes/notes/new-inspection-441b578de2206415.yaml
+++ b/releasenotes/notes/new-inspection-441b578de2206415.yaml
@ -0,0 +1,18 @@
+---
+features:
+  - |
+    When ``enable_inspector`` is set to ``false`` (the default is ``true``),
+    the new built-in inspection implementation is now configured. Note that
+
+    * The new implementation has not at the moment of writing achieved a
+      complete feature parity with ironic-inspector: see
+      https://docs.openstack.org/ironic/latest/admin/inspection/index.html
+      for the available features.
+
+    * Whether inspection actually runs is not defined by this parameter but
+      rather by ``inspect_nodes`` (or the ``--inspect`` argument to
+      ``./bifrost-cli enroll``).
+upgrade:
+  - |
+    If ironic-inspector support is disabled via ``enable_inspector`` set to
+    ``false``, the service will be stopped and removed on upgrade.
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@ -35,7 +35,7 @@ TEST_VM_NUM_NODES=1
 DOWNLOAD_CUSTOM_DEPLOY_IMAGE=true
 TESTING_USER=cirros
 TEST_PLAYBOOK="test-bifrost.yaml"
-USE_INSPECTOR=true
+USE_INSPECTOR=${USE_INSPECTOR:-true}
 INSPECT_NODES=true
 INVENTORY_DHCP=false
 INVENTORY_DHCP_STATIC_IP=false
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@ -119,6 +119,12 @@
      test_driver: redfish
      enable_prometheus_exporter: true

+- job:
+    name: bifrost-integration-noinspector-ubuntu-jammy
+    parent: bifrost-integration-tinyipa-ubuntu-jammy
+    vars:
+      use_inspector: false
+
 - job:
    name: bifrost-integration-redfish-vmedia-uefi-ubuntu-jammy
    parent: bifrost-integration-tinyipa-ubuntu-jammy
@ -164,6 +170,12 @@
      test_driver: redfish
      enable_prometheus_exporter: true

+- job:
+    name: bifrost-integration-noinspector-centos-9
+    parent: bifrost-integration-tinyipa-centos-9
+    vars:
+      use_inspector: false
+
 - job:
    name: bifrost-integration-tinyipa-debian-bullseye
    parent: bifrost-integration-tinyipa
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -16,6 +16,8 @@
        - bifrost-integration-redfish-vmedia-uefi-ubuntu-jammy
        - bifrost-integration-redfish-vmedia-uefi-centos-9
        - bifrost-integration-redfish-vmedia-uefi-debian-bookworm
+        - bifrost-integration-noinspector-centos-9
+        - bifrost-integration-noinspector-ubuntu-jammy
        - bifrost-upgrade-ubuntu-jammy
        - bifrost-upgrade-keystone-centos9
        # Non-voting jobs
@ -64,6 +66,8 @@
        - bifrost-integration-redfish-vmedia-uefi-ubuntu-jammy
        - bifrost-integration-redfish-vmedia-uefi-centos-9
        - bifrost-integration-redfish-vmedia-uefi-debian-bookworm
+        - bifrost-integration-noinspector-centos-9
+        - bifrost-integration-noinspector-ubuntu-jammy
        - bifrost-upgrade-ubuntu-jammy
        - bifrost-upgrade-keystone-centos9
    experimental: