Update Ironic Inspector for Metal Deployments

This patchset aims to correct some design limitations with the current
ironic-inspector deploy process.

- a new ironic-inspector-dnsmasq service has been created to split
inspector-specific dnsmasq configuration out of the base dnsmasq
config files
- PXE/iPXE and UEFI support for ironic-inspector boot
- (todo) documentation improvements and diagrams

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823426
Change-Id: Ib5cbb28f97dd7421bfecb815def89305f3b1da33

defaults/main.yml

@@ -79,6 +79,18 @@ ironic_services:
     service_name: ironic-inspector
     init_config_overrides: "{{ ironic_inspector_init_config_overrides }}"
     execstarts: "{{ ironic_bin }}/ironic-inspector"
+  ironic-inspector-dnsmasq:
+    group: ironic_inspector
+    service_name: ironic-inspector-dnsmasq
+    service_type: forking
+    systemd_user_name: root
+    systemd_group_name: root
+    init_config_overrides: "{{ ironic_inspector_dnsmasq_init_config_overrides }}"
+    execstarts: "/usr/sbin/dnsmasq --conf-file=/etc/ironic-inspector/inspector-dnsmasq.conf"
+    after_targets:
+      - openvswitch.service
+      - network.target
+    state: stopped
 
 ironic_service_name: ironic
 ironic_service_type: baremetal
@@ -356,13 +368,14 @@ ironic_inspector_pxe_boot_mode: "{{ ironic_inspector_boot_mode }}"
 ironic_inspector_httpboot_dir: /httpboot
 ironic_inspector_tftpboot_dir: "{{ ironic_tftpd_root }}"
 
-ironic_inspector_dhcp_interface: br-ironic
+ironic_inspector_dhcp_interface: br-bmaas
 ironic_inspector_valid_interfaces: internal,public
 
 ### Config Overrides
 ironic_inspector_conf_overrides: {}
 ironic_inspector_rootwrap_conf_overrides: {}
 ironic_inspector_init_config_overrides: {}
+ironic_inspector_dnsmasq_init_config_overrides: {}
 # pxe boot
 ironic_inspector_pxe_append_params: "ipa-debug=1 systemd.journald.forward_to_console=yes" #ipa-inspection-collectors=default,logs,extra_hardware
 
@@ -397,3 +410,12 @@ ironic_inspector_oslomsg_amqp1_enabled: True
 
 ironic_inspector_ipa_initrd_name: ironic-deploy.initrd
 ironic_inspector_ipa_kernel_name: ironic-deploy.kernel
+
+# The URLs defined here provide the location to the kernel and ramdisk used
+# for booting via ironic-inspector. The integrated Ironic Python Agent may
+# not be backwards compatible, so the version listed should match the
+# deployed cloud.
+ironic_deploy_ramdisk_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.initramfs
+ironic_deploy_ramdisk_sha_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.initramfs.sha256
+ironic_deploy_kernel_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.kernel
+ironic_deploy_kernel_sha_url: https://tarballs.opendev.org/openstack/ironic-python-agent/dib/files/ipa-centos8-stable-xena.kernel.sha256

handlers/main.yml

@@ -46,9 +46,9 @@
     state: restarted
   failed_when: false
 
-- name: Restart dnsmasq
+- name: Restart ironic-inspector-dnsmasq
   service:
-    name: "dnsmasq"
+    name: "ironic-inspector-dnsmasq"
     state: restarted
   failed_when: false
 

tasks/ironic_inspector_post_install.yml

@@ -13,51 +13,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Copy in dhcp config file
-  template:
-    src: "dhcpd.conf.j2"
-    dest: "/etc/dhcp/dhcpd.conf"
-  notify:
-    - Restart isc-dhcp-server
-
-- name: Ensure except lo dnsmasq setting
-  lineinfile:
-    path: /etc/default/dnsmasq
-    state: present
-    line: 'DNSMASQ_EXCEPT=lo'
-  when: ansible_facts['os_family'] == 'Debian'
-  notify:
-    - Restart dnsmasq
-
-- name: Uncomment IGNORE_RESOLVCONF line
-  lineinfile:
-    path: /etc/default/dnsmasq
-    state: present
-    regexp: '^#IGNORE_RESOLVCONF=.*'
-    line: 'IGNORE_RESOLVCONF=yes'
-    backrefs: yes
-  when: ansible_facts['os_family'] == 'Debian'
-  notify:
-    - Restart dnsmasq
-
-- name: Copy in dnsmqsq config file
-  template:
-    src: "dnsmasq.conf.j2"
-    dest: "/etc/dnsmasq.d/inspector-dnsmasq.conf"
-  notify:
-    - Restart dnsmasq
-
 - name: Default pxelinux.0 config
   template:
     src: pxelinux-default.j2
     dest: "{{ ironic_inspector_tftpboot_dir }}/pxelinux.cfg/default"
 
-- name: Create directories
-  file:
-    path: "{{ item }}"
-    state: directory
+- name: Copy Inspector iPXE Configuration
+  template:
+    src: inspector.ipxe.j2
+    dest: "{{ ironic_http_root }}/inspector.ipxe"  
     owner: "{{ ironic_system_user_name }}"
     group: "{{ ironic_system_group_name }}"
-    mode: "0755"
-  with_items:
-    - /etc/dnsmasq.d/dhcp-hostsdir
+
+- name: Download IPA Kernel Image
+  get_url:
+    url: "{{ ironic_deploy_kernel_url }}"
+    dest: "/httpboot/{{ ironic_inspector_ipa_kernel_name }}"
+    checksum: "sha256:{{ ironic_deploy_kernel_sha_url }}"
+    owner: "{{ ironic_system_user_name }}"
+    group: "{{ ironic_system_group_name }}"
+    mode: '0644'
+
+- name: Download IPA Ramdisk Image
+  get_url:
+    url: "{{ ironic_deploy_ramdisk_url }}"
+    dest: "/httpboot/{{ ironic_inspector_ipa_initrd_name }}"
+    checksum: "sha256:{{ ironic_deploy_ramdisk_sha_url }}"
+    owner: "{{ ironic_system_user_name }}"
+    group: "{{ ironic_system_group_name }}"
+    mode: '0644'

tasks/ironic_inspector_pre_install.yml

@@ -0,0 +1,42 @@
+---
+# Copyright 2021, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Copy in dhcp config file
+  template:
+    src: "dhcpd.conf.j2"
+    dest: "/etc/dhcp/dhcpd.conf"
+  notify:
+    - Restart isc-dhcp-server
+
+- name: Copy in dnsmasq config file
+  template:
+    src: "dnsmasq.conf.j2"
+    dest: "/etc/ironic-inspector/inspector-dnsmasq.conf"
+    owner: "{{ ironic_system_user_name }}"
+    group: "{{ ironic_system_group_name }}"
+    mode: "0640"
+  notify:
+    - Restart ironic-inspector-dnsmasq
+
+- name: Create directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ ironic_system_user_name }}"
+    group: "{{ ironic_system_group_name }}"
+    mode: "0755"
+  with_items:
+    - /etc/ironic-inspector/dhcp-hostsdir
+    - /var/lib/ironic-inspector/

tasks/main.yml

@@ -121,6 +121,11 @@
   tags:
     - ironic-config
 
+- import_tasks: ironic_inspector_pre_install.yml
+  when: inventory_hostname in groups['ironic_inspector']
+  tags:
+    - ironic-inspector
+
 - name: Run the systemd service role
   import_role:
     name: systemd_service
@@ -155,6 +160,6 @@
     - ironic-config
 
 - import_tasks: ironic_inspector_post_install.yml
-  when: "{{ inventory_hostname in groups['ironic_inspector'] }}"
+  when: inventory_hostname in groups['ironic_inspector']
   tags:
     - ironic-inspector

templates/dnsmasq.conf.j2

@@ -1,15 +1,24 @@
 port=15553
+bind-interfaces
 interface={{ ironic_inspector_dhcp_interface }}
+listen-address={{ ironic_inspector_dhcp_address }}
 dhcp-range={{ ironic_inspector_dhcp_pool_range | regex_replace(' ', ',') }}
 tftp-root={{ ironic_inspector_tftpboot_dir }}
 dhcp-option=3,{{ ironic_inspector_dhcp_gateway }}
 dhcp-option=6,{{ ironic_inspector_dhcp_nameservers }}
 dhcp-match=ipxe,175
 dhcp-match=set:efi,option:client-arch,7
-listen-address={{ ironic_inspector_dhcp_address }}
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
+# OLD, but keep
+#dhcp-boot=pxelinux.0,localhost.localdomain,{{ ironic_tftp_server_address }}
+# Client is already running iPXE; move to next stage of chainloading
+dhcp-boot=tag:ipxe,{{ ironic_http_url }}/inspector.ipxe
+# Client is PXE booting over EFI without iPXE ROM,
+# send EFI version of iPXE chainloader
 dhcp-boot=tag:efi,tag:!ipxe,ipxe.efi
-dhcp-boot=pxelinux.0,localhost.localdomain,{{ ironic_tftp_server_address }}
-conf-dir=/etc/dnsmasq.d/,*.conf
-dhcp-hostsdir=/etc/dnsmasq.d/dhcp-hostsdir
+# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
+dhcp-boot=undionly.kpxe,localhost.localdomain,{{ ironic_tftp_server_address }}
+dhcp-hostsdir=/etc/ironic-inspector/dhcp-hostsdir
+dhcp-leasefile=/var/lib/ironic-inspector/inspector-dnsmasq.leases
+dhcp-sequential-ip

templates/inspector.conf.j2

@@ -28,16 +28,16 @@ enroll_node_driver = ipmi
 
 [dnsmasq_pxe_filter]
 {% if ironic_inspector_pxe_filter == "dnsmasq" %}
-dhcp_hostsdir = /etc/dnsmasq.d/dhcp-hostsdir
-dnsmasq_start_command = systemctl start dnsmasq
-dnsmasq_stop_command  = systemctl stop dnsmasq
+dhcp_hostsdir = /etc/ironic-inspector/dhcp-hostsdir
+dnsmasq_start_command = systemctl start ironic-inspector-dnsmasq
+dnsmasq_stop_command  = systemctl stop ironic-inspector-dnsmasq
 {% endif %}
 
 [iptables]
 {% if ironic_inspector_pxe_filter == "iptables" %}
 manage_firewall = True
 {% endif %}
-dnsmasq_interface =  br-ironic
+dnsmasq_interface =  {{ ironic_inspector_dhcp_interface }}
 
 [ironic]
 username = ironic

templates/inspector.ipxe.j2

@@ -0,0 +1,10 @@
+#!ipxe
+
+:retry_dhcp
+dhcp || goto retry_dhcp
+
+:retry_boot
+imgfree
+kernel --timeout 30000 {{ ironic_http_url }}/{{ ironic_inspector_ipa_kernel_name }} ipa-inspection-callback-url={{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd={{ ironic_inspector_ipa_initrd_name }} || goto retry_boot
+initrd --timeout 30000 {{ ironic_http_url }}/{{ ironic_inspector_ipa_initrd_name }} || goto retry_boot
+boot

templates/pxelinux-default.j2

@@ -2,7 +2,7 @@ default inspect
 
 label inspect
 kernel {{ ironic_inspector_ipa_kernel_name }}
-append initrd={{ ironic_inspector_ipa_initrd_name }} ipa-inspection-callback-url=http://{{ internal_lb_vip_address }}:5050/v1/continue nomodeset vga=normal console=tty0 console=ttyS0,115200n8 {{ ironic_inspector_pxe_append_params | default('') }}
+append initrd={{ ironic_inspector_ipa_initrd_name }} ipa-inspection-callback-url={{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}/v1/continue nomodeset vga=normal console=tty0 console=ttyS0,115200n8 {{ ironic_inspector_pxe_append_params | default('') }}
 ipappend 3