The pxe_timeout parameter should be set to an integer value (or
a string representing an integer) and can't be set to
the os_service_default fact.
Closes-Bug: #2058229
Change-Id: I7b04e5586c82fc528f960beddfe50a7b355f6580
... and make pattern match for inspector dnsmasq.conf more
strict to detect missing new lines or unnecessary elements.
Closes-Bug: #2042526
Change-Id: I03abeb7c1519f5a2cbcddaa3722d4053eab3566f
The ipa-inspection-collectors option is optional so can be omitted.
Note that this change effectively enables the log collector which is
enabled by default in IPA since 6.4.0[1].
[1] d50ff06b6bbf8909496882c7200c11299dc6b039
Change-Id: I779d35d8244759023fe2dc1e889f5f4674b78561
This change introduces the new dnsmasq_log_facility parameter so that
users can customize log output from dsnmasq processes.
Change-Id: Ied9b42432cf12f0ea84b27a93389805589db3f30
In change Ia30aff290ec24972f387612851f8f630ddc9403b
the file in tftproot was renamed from ipxe.efi to
snponly.efi. Later in the filename was parameterized
in change I565e3ae6388812c358e86fac49b17e0cce97b9df.
The dnsmasq DHCP configuration was not updated to
point to use the new filename, nor the parameter.
This change adds 'uefi_ipxe_bootfile_name' to
ironic::pxe::common, updates the other manifests to
use ironic::pxe::common::uefi_ipxe_bootfile_name if
set.
Also add the 'uefi_ipxe_bootfile_name' parameter to
the ironic::inspector class and update the dnsmasq
DHCP tempalte to use the parameter.
Closes-Bug: #1952652
Change-Id: I1b3ccd8ad8f3ce66c66c58b1dfdca158d749c287
Switches to using the new ironic-dnsmasq-tftp-server service[1], which
manages the dnsmasq process in order to facilitate standalone usage and
testing of puppet-ironic outside with Centos-Stream 9 where package
changes are anticipated.
On Centos-Stream 9, users should effectively be forced over to using
dnsmasq automatically.
The higher level controls for defaults can also be changed for
the purpose of backporting such that prior releases are not
automatically switch to using dnsmasq unless they have to be run with
dnsmasq based upon known package availability.
Note that just setting tftp_use_xinetd=false in an existing deployment
doesn't remove the xinetd service completely, because of limitation
caused by current implementation of puppet-xinetd, and users are
responsible to remove service, package and etc properly before
switching to the new service.
[1] https://review.rdoproject.org/r/c/openstack/ironic-distgit/+/34691
Change-Id: I5d388acfb96fa3e3a555a119ff72feabdd1cdf87
Add the parameter ``dnsmasq_dhcp_sequential_ip`` to the
ironic::inspector class. When true (the default) dnsmasq
is configured to serve addresses in sequential orders.
Some DHCPv6 clients don't operate well with a DHCP server
that serves addresses sequentially. The new parameter
allow disabling sequential addressing to improve
interoperability with DHCPv6 clients in UEFI firmware.
Closes-Bug: #1941908
Change-Id: Iad32434790a1744249b284937c6b67e9b58a235f
In essence, the pxe preference doesn't apply to ppc64le.
This is because PXE data loading is part of the firmware and
does not use an intermediate boot loader like ipxe, syslinux,
or even grub.
Changes the logic to always set the stage for PXE based
deployments and enables boot setting awareness for ppc64le
based on the TFTP defaults. This allows ppc64le to coexist
with an environment preferring HTTP transport like those
used with iPXE.
Change-Id: I27fa53700c1b44f14725bc66b929732553da58f8
For DHCPv6 PXE boot, the Client Architecture option uses code 61,
see https://tools.ietf.org/html/rfc5970#section-3.3. Use this
to determine if booting over EFI and set the DHCPv6 bootfile-url
when booting PXE over EFI.
Change-Id: I096ac412c015c3ac488d712010aafe52b572cfad
Extend and re-name the function ipv6_netmask_to_prefix() to
ipv6_normalize_dnsmasq_ip_subnets(). It now changes the netmask
to prefix and removes the 'gateway' if it is an IPv6 subnet.
On IPv6 router info should be provided in router advertisements.
There was a draft to add support in DHCPv6, but it was never
completed.
https://datatracker.ietf.org/doc/draft-ietf-mif-dhcpv6-route-option/
Also:
Add match for userclass iPXE and set option6:bootfile-url
Closes-Bug: #1844573
Change-Id: I47d88519acd18630e0d5682d93f1088771ec03a1
It should be possible to configure the DHCP server to
provide the mtu option for inspection subnets.
This uses the dhcp-option-force so that the option is
provided also when the client does not ask for it.
According to dnsmasq manual page this is sometimes
required when sending options to PXELINUX.
Closes-Bug: #1845487
Change-Id: Ic95dbf1867fb5397f1b6d8f23466910a97051cb6
dnsmasq.conf require a prefix lenght as netmask for IPv6.
Convert a IPv6 address netmask to prefix.
Closes-Bug: #1828837
Change-Id: Idf84ba30eb4eb6d202faa470209f10c9da40e80b
Advanced users may need to push advanced routing to the client.
Add the possbility to configure the classless-static-route
(dhcp option: 121) in ironic inspectors dnsmasq.
Change-Id: I2229d386bff8ae63e4efe8406770b2b378a1991f
Related-Bug: #1819464
In order to allow the ironic inspector dnsmasq service to
receive packets after the network service is restarted, the
bind-interfaces option should not be set. Since the
ironic inspector is bound to the br-ctlplane interface,
its not necessary to set this field as this dnsmasq instance
will only service this interface.
From the dnsmasq man page (http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html).
-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address,
even when it is listening on only some interfaces. It then
discards requests that it shouldn't reply to. This has the
advantage of working even when interfaces come and go and
change address. This option forces dnsmasq to really bind only
the interfaces it is listening on. About the only time when
this is useful is when running another nameserver (or another
instance of dnsmasq) on the same machine. Setting this option
also enables multiple instances of dnsmasq which provide DHCP
service to run in the same machine.
We do run another dnsmasq instance for neutron but that is bound to
the tap interface in the namespace.
Change-Id: I88a0b67a61944565e59f245f02f7e4620f92ec82
The aim of this change to the enable puppet-ironic as used by tripleo to
configure ironic and the tftp services in a way that "just works" with
tripleo.
It adds the ability to tweak ironic's command retry and spacing values
as well as creating architecture specific config and bootfile mappings
Blueprint: multiarch-support
Change-Id: Ia64dd21b55474d402315ba7c05e28604fff3aea8
As described in bug, its possible that addresses provided to IPA via
DHCP may expire and not be added to the introspection report. This
increases the dhcp lease time from 2 to 10 minutes. There should be
no downside to increasing this lease time since these addresses
are only used during introspection.
Change-Id: Iae15e9db0acc2ecd5b087a9ca430be948bc3e649
Closes-Bug: 1721051
This fixes an issue during introspection when the client loops
over ipxe.efi when using UEFI. In addition it adds support to handle
clients which report UEFI client architecture type 9 (EFI x86-64).
Change-Id: I236a58aab4000395154e5f463bad07f65b8d8b64
Closes-Bug: 1714320
The dnsmasq minimum is 2 minutes, so setting to 29 seconds doesn't
work. Setting it to 2 minutes better reflects reality.
Also using the minutes identifier (m) ensures that dnsmasq doesn't
attempt to parse the timeout as a prefix length if a IPv6 range is
provided.
Change-Id: I9e8585a7e4e5b6a21b05f3c5578c869a2c357b02
This patch add two params in inspector_pxelinux_cfg template,
to make kernel and ramdisk filename configurable.
Change-Id: I5a421cd6135d001763e4d83da778ab33e5b1baca
* Support for disabling UEFI in inspector
* Authtoken signing_dir argument
* ironic::drivers::deploy manifest
* ironic::db::inspector_sync manifest
* enabled_drivers and rabbit_user from init manifest
This change leaves out the following deprecation
* Implicit including of ironic::pxe in inspector (due to unclear CI problems)
* Other rabbit_* parameters (THT still uses them, sigh)
Change-Id: Ibf1c64bb5a6538610dfd9529526f203374b4e7da
With support for multiple subnets in Ironic Inspector dnsmasq
a new parameter 'dnsmasq_ip_subnets' was added. With this new
parameter the 'dnsmasq_ip_range' is redundant and should be
deprecated.
Change-Id: I07cbdd5e5573df23d6bdbfff4588cd870be933d9
At this point we already have DHCP on the right NIC to be able to download
this iPXE script. The "dhcp" may actually break the boot, as it runs DHCP
on the first available interface, not the PXE booting one.
Change-Id: I9ec62b6b662c9ea70f7cc12bd0567b5e4119faf7
Closes-Bug: #1635191
We should provide option to setup PXE in order to remove PXE setup
from tripleo elements. Class ironic::pxe will setup tftpboot and
httpboot and class ironic::pxe::common will take care of common
dependancies between ironic, ironic inspector and pxe driver.
Change-Id: I8b83eff694316755e4dd2dbcde7b569472893bc5
We currently allow changing the HTTP port for Ironic iPXE support,
but we don't allow the same for ironic-inspector. This patch fixes it.
Change-Id: I62effb9d0196474a3768ef7e80528f730df8a543
Closes-Bug: #1602976
Ensure iPXE retry to boot from the network in case of failure.
--timeout is required to avoid an unlimited freeze, the goto loop is
here to force iPXE to retry the download. imgfree ensure the image get
clean.
References:
I0fbb40c711a707ae9fae186e9afbe62b79168e28
I472dfb73044df50849c9cf72de90e59151698376
Issue: #1326656
Change-Id: I6782f6499a8a8a9706415b3c9b22d41a9abb2e30
To send the Inspector ramdisk over HTTP rather than TFTP, we must first
send an iPXE boot image that knows how to speak HTTP, and then instruct
it to "chainload" the inspector ramdisk. Previously, we could only do
this if the machine being introspected had BIOS firmware. However, most
modern servers now use UEFI firmware, which requires a different iPXE
boot image (as described at http://ipxe.org/howto/chainloading).
We must specify the initrd in the iPXE `kernel` line to avoid the
problem described at http://forum.ipxe.org/showthread.php?tid=7589.
Change-Id: I9cb102178bee8039a8cfc157154ecbd315aba871
That commit included binary blobs, which were not acceptable to
downstream packagers.
This reverts commit 5279179040.
Change-Id: I3a97400af4bb44d5b41b846ffb1f766c1712b61a
To send the Inspector ramdisk over HTTP rather than TFTP, we must first
send an iPXE boot image that knows how to speak HTTP, and then instruct
it to "chainload" the inspector ramdisk. Previously, we could only do
this if the machine being introspected had BIOS firmware. However, most
modern servers now use UEFI firmware, which requires a different iPXE
boot image (as described at http://ipxe.org/howto/chainloading).
We must specify the initrd in the iPXE `kernel` line to avoid the
problem described at http://forum.ipxe.org/showthread.php?tid=7589.
We include the iPXE binary images directly in the files/ subdirectory
and serve them from the puppet master. This is because
- while there is a Debian package that contains both images, there is
currently no package for Red Hat systems that contains the UEFI
image;
- downloading the images from ipxe.org would make our users vulnerable
to any attack affecting that site.
Change-Id: I1f08578d4005c33feed84d4783a7a7693d13920c
Depends-On: I7dc191a38132db5fc2c68846c036d5b45061b398
Introspection naturally happens in large bulks, after which it's inactive.
Small pool for DHCP addresses means that we'll have conflicts due to how
dnsmasq distributes them by default - using hashing. This change tells dnsmasq
to allocate IP addresses sequentially instead to avoid these conflicts.
The drawback of this option is that long-running clients may switch IP
addresses if their lease expires. This is not a concern for short introspection
process.
Change-Id: I0f08609a9f72799ef9f62216041f2b2b9795afd5
IPA accepts plenty of kernel arguments, adding all them explicitly
may be not practical. New option ramdisk_kernel_args allows to set
a string to append to the kernel command line when booting IPA.
The first use case that comes to my mind is ipa-inspection-benchmarks
option, enabling benchmarking during inspection.
Change-Id: Id6bb8f38beb299e72fb5ab0e4d9a89ac00a47df2
Inspection collectors are IPA plugins that collect additional information
for inspection. This patch allow changing their list, with default remaining
the same (for now).
Change-Id: I1e5ea1cd5ee24872375cd53d3eebf14b1082d874
Add the ability to configure the ironic-inspector service
for doing introspection of bare metal nodes.
Closes-Bug: 1486197
Change-Id: I9b2917a2c3f6afe75dc295c81d09f7a12856007f
Instead of putting baremetal.json and groupvars/all on the
git repo folder for Bifrost, just create a folder (which defaults
to /etc/bifrost) and put those files in there.
This will avoid having a dirty bifrost git repo and having issues
whenever the Bifrost git repo is updated.
Note, you will need to run
'ansible-playbook -e @/etc/bifrost/bifrost_global_vars ...' in order
to load the configuration file variables at execution time.
Check http://docs.ansible.com/ansible/playbooks_variables.html for
more info.
Change-Id: Id0f5711f6f4e18cf67586e2445d8bd09c5db7ca9
Bifrost is a set of Ansible playbooks to install Ironic in
standalone mode and enrolling and deploying baremetal servers
Change-Id: I1f31c8a59d82112d998fb3555c9f55d5c850093d