Fix Inspector dnsmasq config for IPv6

Extend and re-name the function ipv6_netmask_to_prefix() to ipv6_normalize_dnsmasq_ip_subnets(). It now changes the netmask to prefix and removes the 'gateway' if it is an IPv6 subnet. On IPv6 router info should be provided in router advertisements. There was a draft to add support in DHCPv6, but it was never completed. https://datatracker.ietf.org/doc/draft-ietf-mif-dhcpv6-route-option/ Also: Add match for userclass iPXE and set option6:bootfile-url Closes-Bug: #1844573 Change-Id: I47d88519acd18630e0d5682d93f1088771ec03a1
2019-09-19 09:02:16 +02:00 · 2019-09-19 09:02:16 +02:00 · 15eedd0c4c
parent b0c9b9ffae
commit 15eedd0c4c
7 changed files with 61 additions and 29 deletions
--- a/lib/puppet/functions/ipv6_netmask_to_prefix.rb
+++ b/lib/puppet/functions/ipv6_netmask_to_prefix.rb
@ -1,25 +0,0 @@
-Puppet::Functions.create_function(:ipv6_netmask_to_prefix) do
-  def ipv6_netmask_to_prefix(args)
-    require 'ipaddr'
-    result = []
-    args.each do |ip_subnet|
-      begin
-        if IPAddr.new(ip_subnet["netmask"]).ipv6?
-          # TODO(hjensas) Once we have ruby stdlib >= 2.5.x we can use
-          # IPAddr.new().prefix instead of counting 1's.
-          prefix = IPAddr.new(ip_subnet["netmask"]).to_i.to_s(2).count("1")
-          Puppet.debug("Netmask #{ip_subnet["netmask"]} changed to prefix #{prefix}")
-          ip_subnet_dup = ip_subnet.dup
-          ip_subnet_dup["netmask"] = prefix
-          result << ip_subnet_dup
-        else
-          result << ip_subnet
-        end
-      rescue IPAddr::AddressFamilyError, IPAddr::Error, IPAddr::InvalidAddressError, IPAddr::InvalidPrefixError => e
-        # Ignore it
-        result << ip_subnet
-      end
-    end
-    return result
-  end
-end
--- a/lib/puppet/functions/ipv6_normalize_dnsmasq_ip_subnets.rb
+++ b/lib/puppet/functions/ipv6_normalize_dnsmasq_ip_subnets.rb
@ -0,0 +1,37 @@
+Puppet::Functions.create_function(:ipv6_normalize_dnsmasq_ip_subnets) do
+  def ipv6_normalize_dnsmasq_ip_subnets(args)
+    require 'ipaddr'
+    result = []
+    args.each do |ip_subnet|
+      ip_subnet_dup = ip_subnet.dup
+      begin
+        if ip_subnet["netmask"]
+          if IPAddr.new(ip_subnet["netmask"]).ipv6?
+            # TODO(hjensas) Once we have ruby stdlib >= 2.5.x we can use
+            # IPAddr.new().prefix instead of counting 1's.
+            prefix = IPAddr.new(ip_subnet["netmask"]).to_i.to_s(2).count("1")
+            Puppet.debug("Netmask #{ip_subnet["netmask"]} changed to prefix #{prefix}")
+            ip_subnet_dup["netmask"] = prefix
+          end
+        end
+      rescue IPAddr::AddressFamilyError, IPAddr::Error, IPAddr::InvalidAddressError, IPAddr::InvalidPrefixError => e
+        # Ignore it
+      end
+      begin
+        if ip_subnet["gateway"]
+          if IPAddr.new(ip_subnet["gateway"]).ipv6?
+            # draft-ietf-mif-dhcpv6-route-option-05 was never completed.
+            # https://datatracker.ietf.org/doc/draft-ietf-mif-dhcpv6-route-option/
+            # Remove the gateway key:value so that the option:router entry is
+            # not created in dnsmasq.conf.
+            ip_subnet_dup.delete("gateway")
+          end
+        end
+      rescue IPAddr::AddressFamilyError, IPAddr::Error, IPAddr::InvalidAddressError, IPAddr::InvalidPrefixError => e
+        # Ignore it
+      end
+      result << ip_subnet_dup
+    end
+    return result
+  end
+end
--- a/manifests/inspector.pp
+++ b/manifests/inspector.pp
@ -311,7 +311,8 @@ class ironic::inspector (
    require => Anchor['ironic-inspector::config::begin'],
  }

-  $dnsmasq_ip_subnets_real = ipv6_netmask_to_prefix($dnsmasq_ip_subnets)
+  $dnsmasq_local_ip_real = normalize_ip_for_uri($dnsmasq_local_ip)
+  $dnsmasq_ip_subnets_real = ipv6_normalize_dnsmasq_ip_subnets($dnsmasq_ip_subnets)

  if $pxe_transfer_protocol == 'tftp' {
    file { '/etc/ironic-inspector/dnsmasq.conf':
--- a/releasenotes/notes/fix-dnsmasq-conf-ipv6-33d320210be7b1ac.yaml
+++ b/releasenotes/notes/fix-dnsmasq-conf-ipv6-33d320210be7b1ac.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    The dnsmasq configuration written for ironic-inspector did not work with
+    IPv6 addressing. Router addresses should be provided by router
+    advertisements, DHCPv6 does not support a router option.
+    `1844573 <https://bugs.launchpad.net/puppet-ironic/+bug/1844573>`_.
+
--- a/spec/classes/ironic_inspector_spec.rb
+++ b/spec/classes/ironic_inspector_spec.rb
@ -179,7 +179,7 @@ describe 'ironic::inspector' do
      is_expected.to contain_file('/etc/ironic-inspector/dnsmasq.conf').with_content(
        /dhcp-range=set:subnet3,2001:4888:a03:313a:c0:fe0:0:c200,2001:4888:a03:313a:c0:fe0:0:c2ff,64,10m/
      )
-      is_expected.to contain_file('/etc/ironic-inspector/dnsmasq.conf').with_content(
+      is_expected.not_to contain_file('/etc/ironic-inspector/dnsmasq.conf').with_content(
        /dhcp-option=tag:subnet3,option:router,2001:4888:a03:313a:c0:fe0:0:c000/
      )
    end
@ -260,6 +260,12 @@ describe 'ironic::inspector' do
        is_expected.to contain_file('/etc/ironic-inspector/dnsmasq.conf').with_content(
            /log-queries/
        )
+        is_expected.to contain_file('/etc/ironic-inspector/dnsmasq.conf').with_content(
+            /dhcp-userclass=set:ipxe6,iPXE/
+        )
+        is_expected.to contain_file('/etc/ironic-inspector/dnsmasq.conf').with_content(
+            /dhcp-option=tag:ipxe6,option6:bootfile-url,http:\/\/.*:3816\/inspector.ipxe/
+        )
      end
      it 'should contain file /var/www/httpboot/inspector.ipxe' do
        is_expected.to contain_file('/var/www/httpboot/inspector.ipxe').with(
--- a/spec/functions/ipv6_normalize_dnsmasq_ip_subnets_spec.rb
+++ b/spec/functions/ipv6_normalize_dnsmasq_ip_subnets_spec.rb
@ -1,9 +1,12 @@
 require 'spec_helper'

-describe 'ipv6_netmask_to_prefix' do
+describe 'ipv6_normalize_dnsmasq_ip_subnets' do
  it { should run.with_params([{'ip_range' => '192.168.0.100,192.168.0.120'}]).and_return([{'ip_range' => '192.168.0.100,192.168.0.120'}])}
  it { should run.with_params([{'netmask' => '255.255.255.0',}]).and_return([{'netmask' => '255.255.255.0'}])}
  it { should run.with_params([{'netmask' => 'ffff:ffff:ffff:ffff::'}]).and_return([{'netmask' => 64}])}
  it { should run.with_params([{'netmask' => '64'}]).and_return([{'netmask' => '64'}])}
  it { should run.with_params([{'netmask' => 64}]).and_return([{'netmask' => 64}])}
+  it { should run.with_params([{'gateway' => '192.168.0.1'}]).and_return([{'gateway' => '192.168.0.1'}])}
+  it { should run.with_params([{'gateway' => 'fd00::1'}]).and_return([{}])}
+  it { should run.with_params([{'netmask' => 'ffff:ffff:ffff:ffff::', 'gateway' => 'fd00::1'}]).and_return([{'netmask' => 64}])}
 end
--- a/templates/inspector_dnsmasq_http.erb
+++ b/templates/inspector_dnsmasq_http.erb
@ -43,8 +43,10 @@ dhcp-match=ipxe,175
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
+dhcp-userclass=set:ipxe6,iPXE
 # Client is already running iPXE; move to next stage of chainloading
-dhcp-boot=tag:ipxe,http://<%= @dnsmasq_local_ip %>:<%= @http_port_real %>/inspector.ipxe
+dhcp-boot=tag:ipxe,http://<%= @dnsmasq_local_ip_real %>:<%= @http_port_real %>/inspector.ipxe
+dhcp-option=tag:ipxe6,option6:bootfile-url,http://<%= @dnsmasq_local_ip_real %>:<%= @http_port_real %>/inspector.ipxe
 # Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
 dhcp-boot=tag:efi,tag:!ipxe,ipxe.efi
 # Client is running PXE over BIOS; send BIOS version of iPXE chainloader