Commit Graph

48 Commits

Author SHA1 Message Date
Takashi Kajinami 055a0f1749 inspector: Fix wrong type of default pxe_timeout
The pxe_timeout parameter should be set to an integer value (or
a string representing an integer) and can't be set to
the os_service_default fact.

Closes-Bug: #2058229
Change-Id: I7b04e5586c82fc528f960beddfe50a7b355f6580
2024-03-18 20:14:42 +09:00
Zuul d295fd035a Merge "inspector: Fix missing new line in dnsmasq.conf with multiple subnets" 2023-11-02 15:33:56 +00:00
Takashi Kajinami e1a89eb585 inspector: Fix missing new line in dnsmasq.conf with multiple subnets
... and make pattern match for inspector dnsmasq.conf more
strict to  detect missing new lines or unnecessary elements.

Closes-Bug: #2042526
Change-Id: I03abeb7c1519f5a2cbcddaa3722d4053eab3566f
2023-11-02 14:48:18 +09:00
Takashi Kajinami f47e1614c7 Do not override ipa-inspection-collectors by default
The ipa-inspection-collectors option is optional so can be omitted.

Note that this change effectively enables the log collector which is
enabled by default in IPA since 6.4.0[1].

[1] d50ff06b6bbf8909496882c7200c11299dc6b039

Change-Id: I779d35d8244759023fe2dc1e889f5f4674b78561
2023-11-02 13:28:49 +09:00
Takashi Kajinami 98c9b5c81b Inspector: Fix missing log-facility when tftp protocol is used
Closes-Bug: #1968937
Change-Id: I4bfa487e6c982c99314112a58da61d6e53935b90
2022-04-14 09:21:21 +09:00
Takashi Kajinami f0f6163f43 Allow customizing log output of dnsmasq services
This change introduces the new dnsmasq_log_facility parameter so that
users can customize log output from dsnmasq processes.

Change-Id: Ied9b42432cf12f0ea84b27a93389805589db3f30
2022-03-10 01:18:35 +00:00
Takashi Kajinami f47dc524aa Remove bifrost support
... because it was deprecated during Xena cycle[1].

[1] 78f7e9efb7

Change-Id: I059c0f132be0ebb01a21e144166bcecbcc4530b4
2021-12-02 20:59:14 +09:00
Harald Jensås 51ea0c95ea Fix name of iPXE efi bootrom
In change Ia30aff290ec24972f387612851f8f630ddc9403b
the file in tftproot was renamed from ipxe.efi to
snponly.efi. Later in the filename was parameterized
in change I565e3ae6388812c358e86fac49b17e0cce97b9df.

The dnsmasq DHCP configuration was not updated to
point to use the new filename, nor the parameter.

This change adds 'uefi_ipxe_bootfile_name' to
ironic::pxe::common, updates the other manifests to
use ironic::pxe::common::uefi_ipxe_bootfile_name if
set.

Also add the 'uefi_ipxe_bootfile_name' parameter to
the ironic::inspector class and update the dnsmasq
DHCP tempalte to use the parameter.

Closes-Bug: #1952652
Change-Id: I1b3ccd8ad8f3ce66c66c58b1dfdca158d749c287
2021-11-30 11:48:32 +01:00
Julia Kreger f2dd0d3cc5 Support use of dnsmasq as tftp service
Switches to using the new ironic-dnsmasq-tftp-server service[1], which
manages the dnsmasq process in order to facilitate standalone usage and
testing of puppet-ironic outside with Centos-Stream 9 where package
changes are anticipated.

On Centos-Stream 9, users should effectively be forced over to using
dnsmasq automatically.

The higher level controls for defaults can also be changed for
the purpose of backporting such that prior releases are not
automatically switch to using dnsmasq unless they have to be run with
dnsmasq based upon known package availability.

Note that just setting tftp_use_xinetd=false in an existing deployment
doesn't remove the xinetd service completely, because of limitation
caused by current implementation of puppet-xinetd, and users are
responsible to remove service, package and etc properly before
switching to the new service.

[1] https://review.rdoproject.org/r/c/openstack/ironic-distgit/+/34691

Change-Id: I5d388acfb96fa3e3a555a119ff72feabdd1cdf87
2021-10-04 15:17:41 +00:00
Harald Jensås 4f67b341ee inspector dnsmasq: make sequential-ip configurable
Add the parameter ``dnsmasq_dhcp_sequential_ip`` to the
ironic::inspector class. When true (the default) dnsmasq
is configured to serve addresses in sequential orders.

Some DHCPv6 clients don't operate well with a DHCP server
that serves addresses sequentially. The new parameter
allow disabling sequential addressing to improve
interoperability with DHCPv6 clients in UEFI firmware.

Closes-Bug: #1941908
Change-Id: Iad32434790a1744249b284937c6b67e9b58a235f
2021-08-28 08:53:36 +09:00
Julia Kreger da503fd5ce Fix ppc64le support to coexist with PXE preference
In essence, the pxe preference doesn't apply to ppc64le.

This is because PXE data loading is part of the firmware and
does not use an intermediate boot loader like ipxe, syslinux,
or even grub.

Changes the logic to always set the stage for PXE based
deployments and enables boot setting awareness for ppc64le
based on the TFTP defaults. This allows ppc64le to coexist
with an environment preferring HTTP transport like those
used with iPXE.

Change-Id: I27fa53700c1b44f14725bc66b929732553da58f8
2021-08-05 22:59:25 +09:00
Bob Fournier 3af8943002 Use client architecture and set bootfile-url for DHCPv6 in inspector
For DHCPv6 PXE boot, the Client Architecture option uses code 61,
see https://tools.ietf.org/html/rfc5970#section-3.3. Use this
to determine if booting over EFI and set the DHCPv6 bootfile-url
when booting PXE over EFI.

Change-Id: I096ac412c015c3ac488d712010aafe52b572cfad
2019-10-17 22:02:07 -04:00
Zuul e157ffd63b Merge "Wrap ipv6 addresses in inspector-ipxe template" 2019-10-01 13:48:51 +00:00
Harald Jensås 3044c0984d Wrap ipv6 addresses in inspector-ipxe template
Closes-Bug: #1845566
Change-Id: Ic5cf47b03a13fccc16ad9410cb4939848e254bd1
2019-09-27 23:08:17 +02:00
Harald Jensås 15eedd0c4c Fix Inspector dnsmasq config for IPv6
Extend and re-name the function ipv6_netmask_to_prefix() to
ipv6_normalize_dnsmasq_ip_subnets(). It now changes the netmask
to prefix and removes the 'gateway' if it is an IPv6 subnet.

On IPv6 router info should be provided in router advertisements.
There was a draft to add support in DHCPv6, but it was never
completed.
https://datatracker.ietf.org/doc/draft-ietf-mif-dhcpv6-route-option/

Also:
  Add match for userclass iPXE and set option6:bootfile-url

Closes-Bug: #1844573
Change-Id: I47d88519acd18630e0d5682d93f1088771ec03a1
2019-09-27 20:20:13 +02:00
Harald Jensås 03550bc8c8 Add support to set option:mtu in inspector dnsmasq
It should be possible to configure the DHCP server to
provide the mtu option for inspection subnets.

This uses the dhcp-option-force so that the option is
provided also when the client does not ask for it.
According to dnsmasq manual page this is sometimes
required when sending options to PXELINUX.

Closes-Bug: #1845487
Change-Id: Ic95dbf1867fb5397f1b6d8f23466910a97051cb6
2019-09-26 13:49:56 +02:00
Harald Jensås 7b6b097d8a Convert ipv6 netmask to prefix in dnsmasq.conf
dnsmasq.conf require a prefix lenght as netmask for IPv6.
Convert a IPv6 address netmask to prefix.

Closes-Bug: #1828837
Change-Id: Idf84ba30eb4eb6d202faa470209f10c9da40e80b
2019-05-16 14:46:30 +02:00
Tobias Urdin 39115e63c2 Remove ironic::inspector::debug
Removes the deprecated parameter that is superseeded
by the dhcp_debug parameter.

Change-Id: I81dece5bcaf36c0f67d17398f2dd957b06dd2e1b
2019-05-10 16:32:34 +02:00
Harald Jensås c192ee40ac Add support for classless-static-routes in inspector dnsmasq
Advanced users may need to push advanced routing to the client.
Add the possbility to configure the classless-static-route
(dhcp option: 121) in ironic inspectors dnsmasq.

Change-Id: I2229d386bff8ae63e4efe8406770b2b378a1991f
Related-Bug: #1819464
2019-03-12 18:27:39 +01:00
Tobias Urdin 19036bf75c Remove deprecated logging
Change-Id: I2c0bc7906a165f26b21a3283636409f75cfdb30a
2018-12-06 13:58:55 +01:00
Bob Fournier 44ad813ee6 Remove ironic inspector dnsmasq bind-interfaces setting
In order to allow the ironic inspector dnsmasq service to
receive packets after the network service is restarted, the
bind-interfaces option should not be set.  Since the
ironic inspector is bound to the br-ctlplane interface,
its not necessary to set this field as this dnsmasq instance
will only service this interface.

From the dnsmasq man page (http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html).
-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address,
even when it is listening on only some interfaces. It then
discards requests that it shouldn't reply to. This has the
advantage of working even when interfaces come and go and
change address. This option forces dnsmasq to really bind only
the interfaces it is listening on. About the only time when
this is useful is when running another nameserver (or another
instance of dnsmasq) on the same machine. Setting this option
also enables multiple instances of dnsmasq which provide DHCP
service to run in the same machine.

We do run another dnsmasq instance for neutron but that is bound to
the tap interface in the namespace.

Change-Id: I88a0b67a61944565e59f245f02f7e4620f92ec82
2018-09-07 10:10:20 +02:00
Tony Breeds 75477a9754 Add support for configuring ppc64le nodes
The aim of this change to the enable puppet-ironic as used by tripleo to
configure ironic and the tftp services in a way that "just works" with
tripleo.

It adds the ability to tweak ironic's command retry and spacing values
as well as creating architecture specific config and bootfile mappings

Blueprint: multiarch-support
Change-Id: Ia64dd21b55474d402315ba7c05e28604fff3aea8
2018-07-07 17:51:19 +10:00
Tobias Urdin 2ad9190159 Remove deprecated parameters
Removes deprecated parameters that has been
deprecated for one cycle or more.

Change-Id: I0c29a346e0df44bce5e4c661b4b8a77f9e126fc7
2018-06-13 13:45:27 +02:00
Dmitry Tantsur 76e4a89922 inspector: configure "dnsmasq" DHCP filter
Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Related-Bug: #1756075
Change-Id: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
2018-03-15 14:52:09 +01:00
Zuul 45da0fa6a7 Merge "Adding support for UEFI client arch type 11 (EFI aarch64)" 2017-10-20 01:51:24 +00:00
Dan Radez 21290f24b8 Adding support for UEFI client arch type 11 (EFI aarch64)
Change-Id: I41805919e265cf9209b527dbe9fb8c7acb74df17
2017-10-17 11:31:13 -04:00
Dmitry Tantsur c9951abf87 Turn on DHCP logging in ironic-inspector when debug is true
Thanks to Dan Radez for pointing out this cool feature to me.

Change-Id: Ica31ab87b646e3bad21d55ba939437094f42cf9c
2017-10-17 12:35:30 +02:00
Bob Fournier c00a1b88ba Increase Ironic inspector dnsmasq lease time
As described in bug, its possible that addresses provided to IPA via
DHCP may expire and not be added to the introspection report.  This
increases the dhcp lease time from 2 to 10 minutes.  There should be
no downside to increasing this lease time since these addresses
are only used during introspection.

Change-Id: Iae15e9db0acc2ecd5b087a9ca430be948bc3e649
Closes-Bug: 1721051
2017-10-04 14:14:30 -04:00
Bob Fournier 9d7d8e7042 Fixes for Ironic-inspector introspection when client using UEFI
This fixes an issue during introspection when the client loops
over ipxe.efi when using UEFI.  In addition it adds support to handle
clients which report UEFI client architecture type 9 (EFI x86-64).

Change-Id: I236a58aab4000395154e5f463bad07f65b8d8b64
Closes-Bug: 1714320
2017-08-31 16:50:26 -04:00
Derek Higgins 71ee4e42be Explicitly set inspector dhcp timeout to 2 minutes
The dnsmasq minimum is 2 minutes, so setting to 29 seconds doesn't
work. Setting it to 2 minutes better reflects reality.
Also using the minutes identifier (m) ensures that dnsmasq doesn't
attempt to parse the timeout as a prefix length if a IPv6 range is
provided.

Change-Id: I9e8585a7e4e5b6a21b05f3c5578c869a2c357b02
2017-08-17 10:41:59 +01:00
Xingchao Yu 6071888f14 Make kernel and ramdisk filename configurable
This patch add two params in inspector_pxelinux_cfg template,
to make kernel and ramdisk filename configurable.

Change-Id: I5a421cd6135d001763e4d83da778ab33e5b1baca
2017-05-05 09:31:26 +08:00
Dmitry Tantsur 65186a41dd Clean up deprecated items supposed to be removed in Ocata and Pike
* Support for disabling UEFI in inspector
* Authtoken signing_dir argument
* ironic::drivers::deploy manifest
* ironic::db::inspector_sync manifest
* enabled_drivers and rabbit_user from init manifest

This change leaves out the following deprecation
* Implicit including of ironic::pxe in inspector (due to unclear CI problems)
* Other rabbit_* parameters (THT still uses them, sigh)

Change-Id: Ibf1c64bb5a6538610dfd9529526f203374b4e7da
2017-04-03 14:00:59 +02:00
Harald Jensas 90f862ce25 Deprecate 'dnsmasq_ip_range' replaced by 'dnsmasq_ip_subnets'
With support for multiple subnets in Ironic Inspector dnsmasq
a new parameter 'dnsmasq_ip_subnets' was added. With this new
parameter the 'dnsmasq_ip_range' is redundant and should be
deprecated.

Change-Id: I07cbdd5e5573df23d6bdbfff4588cd870be933d9
2017-03-13 16:22:35 +01:00
Harald Jensas 9041a3af23 Multiple DHCP Subnets for Ironic Inspector
Add parameter 'dnsmasq_ip_subnets' and enable template to
configure dhcp-range and dhcp-option 'option:router' for
additional subnets in Ironic Inspector dnsmasq.

Implements: blueprint tripleo-routed-networks-ironic-inspector
Closes-Bug: #1637503
Change-Id: Ie49b07ffe948576f5d9330cf11ee014aef4b282d
2017-02-22 13:21:08 +01:00
Dmitry Tantsur 806d5a1569 Remove "dhcp" command from the iPXE script
At this point we already have DHCP on the right NIC to be able to download
this iPXE script. The "dhcp" may actually break the boot, as it runs DHCP
on the first available interface, not the PXE booting one.

Change-Id: I9ec62b6b662c9ea70f7cc12bd0567b5e4119faf7
Closes-Bug: #1635191
2016-10-20 18:05:51 +02:00
Lukas Bezdicka 0376a5f55d Introduce ironic::pxe class
We should provide option to setup PXE in order to remove PXE setup
from tripleo elements. Class ironic::pxe will setup tftpboot and
httpboot and class ironic::pxe::common will take care of common
dependancies between ironic, ironic inspector and pxe driver.

Change-Id: I8b83eff694316755e4dd2dbcde7b569472893bc5
2016-08-30 16:42:15 +02:00
Dmitry Tantsur 270b0cb7c7 [inspection] allow to configure HTTP port
We currently allow changing the HTTP port for Ironic iPXE support,
but we don't allow the same for ironic-inspector. This patch fixes it.

Change-Id: I62effb9d0196474a3768ef7e80528f730df8a543
Closes-Bug: #1602976
2016-07-14 14:19:35 +02:00
Gonéri Le Bouder 9d56010c8c iPXE: retry on failure during introspection
Ensure iPXE retry to boot from the network in case of failure.
--timeout is required to avoid an unlimited freeze, the goto loop is
here to force iPXE to retry the download. imgfree ensure the image get
clean.

References:
 I0fbb40c711a707ae9fae186e9afbe62b79168e28
 I472dfb73044df50849c9cf72de90e59151698376
 Issue: #1326656

Change-Id: I6782f6499a8a8a9706415b3c9b22d41a9abb2e30
2016-04-29 19:39:54 -04:00
Miles Gould a7e66a34a4 Allow chainloading of Inspector ramdisk over UEFI
To send the Inspector ramdisk over HTTP rather than TFTP, we must first
send an iPXE boot image that knows how to speak HTTP, and then instruct
it to "chainload" the inspector ramdisk. Previously, we could only do
this if the machine being introspected had BIOS firmware. However, most
modern servers now use UEFI firmware, which requires a different iPXE
boot image (as described at http://ipxe.org/howto/chainloading).

We must specify the initrd in the iPXE `kernel` line to avoid the
problem described at http://forum.ipxe.org/showthread.php?tid=7589.

Change-Id: I9cb102178bee8039a8cfc157154ecbd315aba871
2016-04-08 17:25:37 +01:00
Miles Gould b94bbf24af Revert "Allow chainloading of Inspector ramdisk over UEFI"
That commit included binary blobs, which were not acceptable to
downstream packagers.

This reverts commit 5279179040.

Change-Id: I3a97400af4bb44d5b41b846ffb1f766c1712b61a
2016-04-06 17:40:14 +01:00
Miles Gould 5279179040 Allow chainloading of Inspector ramdisk over UEFI
To send the Inspector ramdisk over HTTP rather than TFTP, we must first
send an iPXE boot image that knows how to speak HTTP, and then instruct
it to "chainload" the inspector ramdisk. Previously, we could only do
this if the machine being introspected had BIOS firmware. However, most
modern servers now use UEFI firmware, which requires a different iPXE
boot image (as described at http://ipxe.org/howto/chainloading).

We must specify the initrd in the iPXE `kernel` line to avoid the
problem described at http://forum.ipxe.org/showthread.php?tid=7589.

We include the iPXE binary images directly in the files/ subdirectory
and serve them from the puppet master. This is because

 - while there is a Debian package that contains both images, there is
   currently no package for Red Hat systems that contains the UEFI
   image;
 - downloading the images from ipxe.org would make our users vulnerable
   to any attack affecting that site.

Change-Id: I1f08578d4005c33feed84d4783a7a7693d13920c
Depends-On: I7dc191a38132db5fc2c68846c036d5b45061b398
2016-03-23 12:02:44 +00:00
Dmitry Tantsur dfff2af147 [inspector] use dnsmasq dhcp-sequential-ip flag in dnsmasq.conf
Introspection naturally happens in large bulks, after which it's inactive.
Small pool for DHCP addresses means that we'll have conflicts due to how
dnsmasq distributes them by default - using hashing. This change tells dnsmasq
to allocate IP addresses sequentially instead to avoid these conflicts.

The drawback of this option is that long-running clients may switch IP
addresses if their lease expires. This is not a concern for short introspection
process.

Change-Id: I0f08609a9f72799ef9f62216041f2b2b9795afd5
2016-03-01 15:11:50 +01:00
Dmitry Tantsur 5704275b69 [inspector] allow sending random kernel arguments to the IPA
IPA accepts plenty of kernel arguments, adding all them explicitly
may be not practical. New option ramdisk_kernel_args allows to set
a string to append to the kernel command line when booting IPA.

The first use case that comes to my mind is ipa-inspection-benchmarks
option, enabling benchmarking during inspection.

Change-Id: Id6bb8f38beb299e72fb5ab0e4d9a89ac00a47df2
2016-02-16 15:07:17 +01:00
Dmitry Tantsur 271da81d45 Enable changing list of inspection collectors
Inspection collectors are IPA plugins that collect additional information
for inspection. This patch allow changing their list, with default remaining
the same (for now).

Change-Id: I1e5ea1cd5ee24872375cd53d3eebf14b1082d874
2016-01-06 12:54:19 +01:00
Dmitry Tantsur 8d9730a593 Add BOOTIF=${mac} to the inspector iPXE template
It is required to determine the booting NIC.

Change-Id: I8547d1f62047e678d0ba825451a07aea2dd1cb2b
Closes-Bug: #1517941
2015-11-19 15:58:09 +01:00
John Trowbridge 0358830fa7 Add ironic-inspector support
Add the ability to configure the ironic-inspector service
for doing introspection of bare metal nodes.

Closes-Bug: 1486197
Change-Id: I9b2917a2c3f6afe75dc295c81d09f7a12856007f
2015-10-06 09:17:41 -04:00
Ricardo Carrillo Cruz 5baf8d135c Put configuration files under configurable folder
Instead of putting baremetal.json and groupvars/all on the
git repo folder for Bifrost, just create a folder (which defaults
to /etc/bifrost) and put those files in there.
This will avoid having a dirty bifrost git repo and having issues
whenever the Bifrost git repo is updated.
Note, you will need to run
'ansible-playbook -e @/etc/bifrost/bifrost_global_vars ...' in order
to load the configuration file variables at execution time.
Check http://docs.ansible.com/ansible/playbooks_variables.html for
more info.

Change-Id: Id0f5711f6f4e18cf67586e2445d8bd09c5db7ca9
2015-08-24 18:48:47 +00:00
Ricardo Carrillo Cruz 95eeb73c4c Add bifrost manifest
Bifrost is a set of Ansible playbooks to install Ironic in
standalone mode and enrolling and deploying baremetal servers

Change-Id: I1f31c8a59d82112d998fb3555c9f55d5c850093d
2015-08-04 17:12:43 +02:00