Switch ironic configuration rendering to Jinja2 #201
Conversation
metal3-io-bot
added
the
size/L
|
This should make #200 unnecessary. |
|
/test-integration |
|
/test-integration |
|
/test-integration |
1 similar comment
|
/test-integration |
|
/assign @dtantsur |
ironic.conf.j2
Outdated
| @@ -1,5 +1,10 @@ | |||
| [DEFAULT] | |||
| {% if "HTTP_BASIC_HTPASSWD" in env %} | |||
There was a problem hiding this comment.
Should we check that the value isn't empty?
This centralizes the cryptic configuration done in multiple files. In addition, it configures json_rpc to be authenticated when API and conductor are running in the same container and HTTP_BASIC_HTPASSWD is set. API and json_rpc would accept the same credentials. This is to prevent other processes in the same host to access the RPC interface over localhost.
|
/test-integration |
|
/approve |
metal3-io-bot
added
the
approved
ironic.conf.j2
Outdated
| # containers are in host networking. | ||
| {% if ( env.IRONIC_DEPLOYMENT == "Combined" or env.IRONIC_DEPLOYMENT == "Conductor" ) and ( "HTTP_BASIC_HTPASSWD" in env and env.HTTP_BASIC_HTPASSWD | length ) %} | ||
| auth_strategy = http_basic | ||
| http_basic_auth_user_file = /etc/ironic/htpasswd |
There was a problem hiding this comment.
This is better than nothing for now, but if the combined container is going to continue to be a thing then I think we want to use separate credentials for json-rpc (could easily be generated inside the container, to avoid complicating the interface).
There was a problem hiding this comment.
I have some on-going work in BMO to stop using the combined version. I'd like to keep support for it in this image for now to make sure that it is backwards compatible, but when the BMO change will have been there for a while, we can move to deprecate it.
There was a problem hiding this comment.
I will add json-rpc credentials generation
|
I have now added the credentials generation for the RPC. I have considered the following use cases. I have introduced a new variable HTTP_BASIC_HTPASSWD_RPC. The user can provide HTTP_BASIC_HTPASSWD and HTTP_BASIC_HTPASSWD_RPC. If
It is implemented in the third commit of this PR. |
|
/test-integration |
|
/test-integration |
|
This looks clean to me. I think the other reviewers are more familiar with the way the actual settings are used, so I'll leave it open for one of them to look at. /approve |
configure-ironic.sh
Outdated
| fi | ||
| # We do not have an auth config file, so we generate one | ||
| else | ||
| IRONIC_RPC_TMP_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" |
There was a problem hiding this comment.
There's no need for the username to be random, I'd suggest just calling it rpc-user or something.
configure-ironic.sh
Outdated
| if [ -n "${HTTP_BASIC_HTPASSWD}" ]; then | ||
| printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}" | ||
|
|
||
| if [ -z "${HTTP_BASIC_HTPASSWD_RPC:-}" ]; then |
There was a problem hiding this comment.
We think the combined mode is going away eventually, so I would be inclined not to make this part of the container interface. It's also redundant with the auth-config file.
Instead we could just always generate a password in combined deployments unless the auth-config file exists, and always use $HTTP_BASIC_HTPASSWD as HTTP_BASIC_HTPASSWD_RPC in conductor deployments.
You already did the hard work of implementing generation so we might as well use that to keep the interface that we have to maintain simple :)
There was a problem hiding this comment.
I have now removed that variable. I kept the behaviour that in case of "Combined" we try to get the authentication info from the auth-config and if it is not provided, we generate some
configure-ironic.sh
Outdated
| IRONIC_RPC_TMP_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" | ||
| mkdir -p "/auth/ironic-rpc" | ||
| cat << EOF > "/auth/ironic-rpc/auth-config" | ||
| [json-rpc] |
There was a problem hiding this comment.
Maybe both work(?), but it's json_rpc in the code. I think we should standardise on that, because in other places (like the crudini commands on line 53-54) it probably does matter whether it's - or _.
There was a problem hiding this comment.
that's definitely a typo! thanks for the catch.
configure-ironic.sh
Outdated
| IRONIC_RPC_TMP_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" | ||
| IRONIC_RPC_TMP_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" | ||
| mkdir -p "/auth/ironic-rpc" | ||
| cat << EOF > "/auth/ironic-rpc/auth-config" |
There was a problem hiding this comment.
One thing I didn't think about before is that we're writing this to a file that is not on a tmpfs mount (like secrets are), so it could get written to disk at some point. Probably not a reason not to do this, but bindmounting it in from a secret is definitely more secure.
There was a problem hiding this comment.
I agree that it is not great, but if we want to differentiate the RPC username/password from the API ones, then in the combined case, there is no other option that writing to disk if the user does not provide the credentials. If the user provides the auth-config, then that's more secure.
|
/test-integration |
configure-ironic.sh
Outdated
|
|
||
| # Populate HTTP_BASIC_HTPASSWD_RPC | ||
| if [ -n "${IRONIC_RPC_TMP_USERNAME:-}" ]; then | ||
| printf "%s\n" "$(htpasswd -n -b -B "${IRONIC_RPC_TMP_USERNAME}" "${IRONIC_RPC_TMP_PASSWORD}")" >"${HTPASSWD_FILE}-rpc" |
There was a problem hiding this comment.
I don't think the printf is necessary here, you can just do
htpasswd -n -b -B "${IRONIC_RPC_TMP_USERNAME}" "${IRONIC_RPC_TMP_PASSWORD}" >"${HTPASSWD_FILE}-rpc"
configure-ironic.sh
Outdated
| printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}-rpc" | ||
| fi | ||
| else | ||
| export JSON_RPC_AUTH_STRATEGY="noauth" |
There was a problem hiding this comment.
I think we should move the code for the combined deployment type outside of this if/else, since we don't want to set noauth for Combined deployments just because basic_auth wasn't enabled on the API. So something like:
export JSON_RPC_AUTH_STRATEGY="noauth"
if [ -n "${HTTP_BASIC_HTPASSWD}" ]; then
if [ "${IRONIC_DEPLOYMENT}" == "Conductor" ]; then
JSON_RPC_AUTH_STRATEGY="http_basic"
printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}-rpc"
else
printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}"
fi
fi
if [ "${IRONIC_DEPLOYMENT}" == "Combined" ]; then
JSON_RPC_AUTH_STRATEGY="http_basic"
# Current lines 45-74
fi
When running both API and Conductor in the same container, we'll generate the username and password if not given by the user through the ironic-rpc auth config file.
|
@zaneb Thank you for the comments. I updated the PR. |
|
/approve works with installer, tested without and also with a rpc credentials passed in |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekhiggins, dhellmann, maelk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Great! Is this ready to go in then ? If so please lgtm. |
|
LGTM but I am not a reviewer for this repo. |
|
@dhellmann or @dtantsur Would you mind lgtm if lgty ? thank you! |
|
/lgtm |
This centralizes the cryptic configuration done in multiple files. It also removes all calls to crudini, that was remove options set in a section if it was set to the same value in [DEFAULT].
The type of deployment of Ironic is set at the beginning of each script in IRONIC_DEPLOYMENT :
The configuration file is templated based on this variable.
In addition, it configures json_rpc to be authenticated when API and conductor are running in the same container and
HTTP_BASIC_HTPASSWD is set. API and json_rpc would accept the same credentials. This is to prevent other processes in the same host to access the RPC interface over localhost. The LISTEN_ALL_INTERFACES environment variable is added to allow restricting on which IP address ironic listens to for API and RPC.