Revert "Merge pull request openshift#407 from openshift/revert-405-re…

…vert-395-1696595843385" This reverts commit dbccf56, reversing changes made to cec9f68.
stbenjam · Nov 9, 2023 · 689b836 · 689b836
1 parent dbccf56
commit 689b836
Show file tree

Hide file tree

Showing 20 changed files with 191 additions and 180 deletions.
diff --git a/Dockerfile.fcos b/Dockerfile.fcos
@@ -30,14 +30,13 @@ COPY scripts/* /bin/
 COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 /tmp/
-
-# DNSMASQ #
 COPY ironic-config/dnsmasq.conf.j2 /etc/
+COPY ironic-config/inspector.ipxe.j2 ironic-config/ironic-python-agent.ign.j2 /tmp/
 
 # Custom httpd config, removes all but the bare minimum needed modules
-COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
+COPY ironic-config/httpd.conf /etc/httpd/conf.d/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
+COPY ironic-config/apache2-ironic-api.conf.j2 /etc/httpd-ironic-api.conf.j2
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
 

diff --git a/Dockerfile.ocp b/Dockerfile.ocp
@@ -25,14 +25,13 @@ COPY scripts/* /bin/
 COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 /tmp/
-
-# DNSMASQ #
 COPY ironic-config/dnsmasq.conf.j2 /etc/
+COPY ironic-config/inspector.ipxe.j2 ironic-config/ironic-python-agent.ign.j2 /tmp/
 
 # Custom httpd config, removes all but the bare minimum needed modules
-COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
+COPY ironic-config/httpd.conf /etc/httpd/conf.d/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
+COPY ironic-config/apache2-ironic-api.conf.j2 /etc/httpd-ironic-api.conf.j2
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
 

diff --git a/Dockerfile.scos b/Dockerfile.scos
@@ -30,14 +30,13 @@ COPY scripts/* /bin/
 COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 /tmp/
-
-# DNSMASQ #
 COPY ironic-config/dnsmasq.conf.j2 /etc/
+COPY ironic-config/inspector.ipxe.j2 ironic-config/ironic-python-agent.ign.j2 /tmp/
 
 # Custom httpd config, removes all but the bare minimum needed modules
-COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
+COPY ironic-config/httpd.conf /etc/httpd/conf.d/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
+COPY ironic-config/apache2-ironic-api.conf.j2 /etc/httpd-ironic-api.conf.j2
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
 

diff --git a/README.md b/README.md
@@ -51,9 +51,6 @@ functionality:
 - `DNSMASQ_EXCEPT_INTERFACE` - interfaces to exclude when providing DHCP address
   (default `lo`)
 - `HTTP_PORT` - port used by http server (default `80`)
-- `HTTPD_SERVE_NODE_IMAGES` - used by runhttpd script, controls access
-   to the `/shared/html/images` directory via the default virtual host
-   `(HTTP_PORT)`.  (default `true`)
 - `DHCP_RANGE` - dhcp range to use for provisioning (default
    `172.22.0.10-172.22.0.100`)
 - `DHCP_HOSTS` - a `;` separated list of `dhcp-host` entries, e.g. known MAC
@@ -72,10 +69,6 @@ functionality:
    parameters to nodes running IPA
 - `GATEWAY_IP` - gateway IP address to use for ironic dnsmasq(dhcpd)
 - `DNS_IP` - DNS IP address to use for ironic dnsmasq(dhcpd)
-- `IRONIC_IPA_COLLECTORS` - Use a custom set of collectors to be run on
-   inspection. (default `default,logs`)
-- `HTTPD_ENABLE_SENDFILE` - Whether to activate the EnableSendfile apache
-   directive for httpd `(default, false)`
 
 The ironic configuration can be overridden by various environment variables.
 The following can serve as an example:
@@ -86,4 +79,4 @@ The following can serve as an example:
    inspection
 - `OS_CONDUCTOR__CLEAN_CALLBACK_TIMEOUT=1800` - timeout (seconds) to wait for a
    callback from the ramdisk doing the cleaning
-- `OS_PXE__BOOT_RETRY_TIMEOUT=1200` - timeout (seconds) to enable boot retries.
+- `OS_PXE__BOOT_RETRY_TIMEOUT=1200` - timeout (seconds) to enable boot retries.
diff --git a/ironic-config/httpd-ironic-api.conf.j2 → ironic-config/apache2-ironic-api.conf.j2 b/ironic-config/httpd-ironic-api.conf.j2 → ironic-config/apache2-ironic-api.conf.j2
@@ -10,13 +10,12 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+Listen {{ env.IRONIC_LISTEN_PORT }}
 
 {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.IRONIC_LISTEN_PORT }}
- <VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
+<VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
- <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
+<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
 
     {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}

diff --git a/ironic-config/apache2-vmedia.conf.j2 b/ironic-config/apache2-vmedia.conf.j2
@@ -9,15 +9,6 @@ Listen {{ env.VMEDIA_TLS_PORT }}
     SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
     SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
-
-    <Directory ~ "/shared/html">
-         Order deny,allow
-         deny from all
-    </Directory>
-    <Directory ~ "/shared/html/(redfish|ilo)/">
-         Order allow,deny
-         allow from all
-    </Directory>
 </VirtualHost>
 
 <Location ~ "^/(redfish|ilo)/">

diff --git a/ironic-config/httpd-modules.conf b/ironic-config/httpd-modules.conf
@@ -18,4 +18,3 @@ LoadModule authn_core_module modules/mod_authn_core.so
 LoadModule auth_basic_module modules/mod_auth_basic.so
 LoadModule authn_file_module modules/mod_authn_file.so
 LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule access_compat_module modules/mod_access_compat.so
diff --git a/ironic-config/httpd.conf b/ironic-config/httpd.conf
@@ -0,0 +1,8 @@
+
+# http TRACE can be subjected to abuse and should be disabled
+TraceEnable off
+
+# provide minimal server information
+ServerTokens Prod
+ServerSignature Off
+
diff --git a/ironic-config/httpd.conf.j2 b/ironic-config/httpd.conf.j2
diff --git a/ironic-config/inspector.ipxe.j2 b/ironic-config/inspector.ipxe.j2
@@ -5,6 +5,6 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors=default,extra-hardware,logs systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
 initrd --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
 boot
diff --git a/ironic-config/ironic-python-agent.ign.j2 b/ironic-config/ironic-python-agent.ign.j2
@@ -0,0 +1,66 @@
+{% set service %}
+[Unit]
+Description=Ironic Agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+TimeoutStartSec=0
+ExecStartPre=/bin/podman pull {{ env.IRONIC_AGENT_IMAGE }} {{ env.IRONIC_AGENT_PODMAN_FLAGS }} {% if env.IRONIC_AGENT_PULL_SECRET %}--authfile=/etc/authfile.json{% endif %}
+ExecStart=/bin/podman run --privileged --network host --mount type=bind,src=/etc/ironic-python-agent.conf,dst=/etc/ironic-python-agent/ignition.conf --mount type=bind,src=/dev,dst=/dev --mount type=bind,src=/sys,dst=/sys --mount type=bind,src=/,dst=/mnt/coreos --name ironic-agent {{ env.IRONIC_AGENT_IMAGE }}
+
+[Install]
+WantedBy=multi-user.target
+{% endset -%}
+
+{% set ipa_config %}
+[DEFAULT]
+api_url = {{ env.IRONIC_BASE_URL }}:{{ env.IRONIC_ACCESS_PORT }}
+inspection_callback_url = {{ env.IRONIC_BASE_URL }}:{{ env.IRONIC_INSPECTOR_ACCESS_PORT }}/v1/continue
+
+collect_lldp = True
+enable_vlan_interfaces = {{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }}
+inspection_collectors = default,extra-hardware,logs
+inspection_dhcp_all_interfaces = True
+{% endset -%}
+
+
+{
+  "ignition": {
+    "version": "3.0.0"
+  },
+  {% if env.IRONIC_RAMDISK_SSH_KEY %}
+  "passwd": {
+    "users": [
+      {
+        "name": "core",
+        "sshAuthorizedKeys": [
+          "{{ env.IRONIC_RAMDISK_SSH_KEY | trim }}"
+        ]
+      }
+    ]
+  },
+  {% endif -%}
+  "storage": {
+    "files": [
+      {
+        "path": "/etc/ironic-python-agent.conf",
+        "contents": {"source": "data:,{{ ipa_config | urlencode }}"}
+      }{% if env.IRONIC_AGENT_PULL_SECRET %},
+      {
+        "path": "/etc/authfile.json",
+        "contents": {"source": "data:;base64,{{ env.IRONIC_AGENT_PULL_SECRET | trim }}"}
+      }
+      {% endif %}
+    ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "contents": "{{ service | trim | replace('\n', '\\n') }}",
+        "enabled": true,
+        "name": "ironic-agent.service"
+      }
+    ]
+  }
+}
diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2
@@ -110,8 +110,10 @@ connection = sqlite:////var/lib/ironic/ironic.sqlite
 # crash. In our case we restart the container from scratch, so we can save some
 # IO by not doing syncs all the time.
 sqlite_synchronous = False
+{% elif env.MARIADB_TLS_ENABLED == "true" %}
+connection = mysql+pymysql://ironic:{{ env.MARIADB_PASSWORD }}@127.0.0.1/ironic?charset=utf8&ssl=on&ssl_ca={{ env.MARIADB_CACERT_FILE }}
 {% else %}
-connection = {{ env.MARIADB_CONNECTION }}
+connection = mysql+pymysql://ironic:{{ env.MARIADB_PASSWORD }}@127.0.0.1/ironic?charset=utf8
 {% endif %}
 
 [deploy]
@@ -146,7 +148,7 @@ insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
-extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
+extra_kernel_params = ipa-inspection-collectors=default,extra-hardware,logs ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
 {% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
 callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
 {% endif %}
@@ -212,7 +214,7 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
@@ -222,14 +224,14 @@ ipxe_fallback_script = inspector.ipxe
 
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
 
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
 use_web_server_for_images = true
 
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
 
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}

diff --git a/ironic-inspector-config/inspector-apache.conf.j2 b/ironic-inspector-config/inspector-apache.conf.j2
@@ -11,11 +11,10 @@
 # under the License.
 
 
-{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
 Listen {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
+{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
  <VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
  <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
 {% endif %}
     {% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}

diff --git a/scripts/configure-coreos-ipa b/scripts/configure-coreos-ipa
@@ -0,0 +1,32 @@
+#!/usr/bin/bash
+
+# shellcheck disable=SC1091
+. /bin/ironic-common.sh
+. /bin/coreos-ipa-common.sh
+
+# Base64 encoded pull secret
+export IRONIC_AGENT_PULL_SECRET=${IRONIC_AGENT_PULL_SECRET:-}
+
+set -x
+
+export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
+export IRONIC_AGENT_IMAGE
+export IRONIC_AGENT_PODMAN_FLAGS=${IRONIC_AGENT_PODMAN_FLAGS:---tls-verify=false}
+
+IRONIC_CERT_FILE=/certs/ironic/tls.crt
+
+wait_for_interface_or_ip
+
+if [[ -f "$IRONIC_CERT_FILE" ]]; then
+    export IRONIC_BASE_URL="https://${IRONIC_URL_HOST}"
+else
+    export IRONIC_BASE_URL="http://${IRONIC_URL_HOST}"
+fi
+
+render_j2_config /tmp/ironic-python-agent.ign.j2 "$IGNITION_FILE"
+# Print the generated ignition for debugging purposes.
+sed '/authfile/,+1 s/data:.*"/<redacted>"/' "$IGNITION_FILE"
+
+if [[ -f "$ISO_FILE" ]]; then
+    coreos-installer iso ignition embed -i "$IGNITION_FILE" -f "$ISO_FILE"
+fi