Create a job with boot and networking managed by ironic

The devstack plugin is updated to skip configuring PXE environment
if managed mode is requested, so that only ironic's PXE environment
is usable.

Change-Id: Ib7b83210a02b727d94dfa15bde43e7fee2e51531
Story: #1528920
Task: #37254

devstack/plugin.sh

@@ -81,6 +81,8 @@ IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK=${IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK:-""}
 IRONIC_INSPECTOR_OVS_PORT=${IRONIC_INSPECTOR_OVS_PORT:-brbm-inspector}
 IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE=${IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE:-""}
 IRONIC_INSPECTOR_POWER_OFF=${IRONIC_INSPECTOR_POWER_OFF:-True}
+IRONIC_INSPECTOR_MANAGED_BOOT=$(trueorfalse False IRONIC_INSPECTOR_MANAGED_BOOT)
+IRONIC_INSPECTION_NET_NAME=${IRONIC_INSPECTION_NET_NAME:-$IRONIC_CLEAN_NET_NAME}
 if is_service_enabled swift; then
     DEFAULT_DATA_STORE=swift
 else
@@ -154,7 +156,8 @@ function start_inspector {
 
 function is_inspector_dhcp_required {
     [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]] || \
-    [[ "${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}" != "noop" ]]
+        [[ "${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}" != "noop" ]] && \
+        [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "False" ]]
 }
 
 function start_inspector_dhcp {
@@ -335,6 +338,15 @@ function configure_inspector {
 
     iniset "$IRONIC_CONF_FILE" inspector enabled True
     iniset "$IRONIC_CONF_FILE" inspector service_url $IRONIC_INSPECTOR_URI
+    if [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "True" ]]; then
+        iniset "$IRONIC_CONF_FILE" neutron inspection_network $IRONIC_INSPECTION_NET_NAME
+        iniset "$IRONIC_CONF_FILE" inspector require_managed_boot True
+        iniset "$IRONIC_CONF_FILE" inspector extra_kernel_params \
+            "ipa-inspection-collectors=\"$IRONIC_INSPECTOR_COLLECTORS\""
+        # In this mode we do not have our own PXE environment, so do not accept
+        # requests without manage_boot=False.
+        inspector_iniset DEFAULT can_manage_boot False
+    fi
 
     setup_logging $IRONIC_INSPECTOR_CONF_FILE DEFAULT
 
@@ -415,29 +427,33 @@ EOF
 }
 
 function prepare_environment {
-    prepare_tftp
     create_ironic_inspector_cache_dir
 
-    if [[ "$IRONIC_BAREMETAL_BASIC_OPS" == "True" && "$IRONIC_IS_HARDWARE" == "False" ]]; then
-        sudo ip link add $IRONIC_INSPECTOR_OVS_PORT type veth peer name $IRONIC_INSPECTOR_INTERFACE
-        sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT up
-        sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT mtu $PUBLIC_BRIDGE_MTU
-        sudo ovs-vsctl add-port $IRONIC_VM_NETWORK_BRIDGE $IRONIC_INSPECTOR_OVS_PORT
+    if [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "False" ]]; then
+        prepare_tftp
+
+        if [[ "$IRONIC_BAREMETAL_BASIC_OPS" == "True" && "$IRONIC_IS_HARDWARE" == "False" ]]; then
+            sudo ip link add $IRONIC_INSPECTOR_OVS_PORT type veth peer name $IRONIC_INSPECTOR_INTERFACE
+            sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT up
+            sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT mtu $PUBLIC_BRIDGE_MTU
+            sudo ovs-vsctl add-port $IRONIC_VM_NETWORK_BRIDGE $IRONIC_INSPECTOR_OVS_PORT
+        fi
+        sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE up
+        sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE mtu $PUBLIC_BRIDGE_MTU
+        sudo ip addr add $IRONIC_INSPECTOR_INTERNAL_IP_WITH_NET dev $IRONIC_INSPECTOR_INTERFACE
+
+        sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \
+            --dport 69 -j ACCEPT
+        sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \
+            --dport $IRONIC_INSPECTOR_PORT -j ACCEPT
+
+        if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
+            sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 80 -j ACCEPT
+            sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 443 -j ACCEPT
+        fi
+    else
+        sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT
     fi
-    sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE up
-    sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE mtu $PUBLIC_BRIDGE_MTU
-    sudo ip addr add $IRONIC_INSPECTOR_INTERNAL_IP_WITH_NET dev $IRONIC_INSPECTOR_INTERFACE
-
-    sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \
-        --dport 69 -j ACCEPT
-    sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \
-        --dport $IRONIC_INSPECTOR_PORT -j ACCEPT
-
-    if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
-        sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 80 -j ACCEPT
-        sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 443 -j ACCEPT
-    fi
-
 }
 
 # create_ironic_inspector_cache_dir() - Part of the prepare_environment() process

zuul.d/ironic-inspector-jobs.yaml

@@ -73,6 +73,15 @@
         IRONIC_INSPECTOR_DHCP_FILTER: dnsmasq
         IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE: database
 
+- job:
+    name: ironic-inspector-tempest-managed
+    description: A job with boot managed by ironic
+    parent: ironic-inspector-base
+    vars:
+      devstack_localrc:
+        IRONIC_INSPECTOR_MANAGED_BOOT: True
+        IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK: ''
+
 - job:
     # Security testing for known issues
     name: ironic-inspector-tox-bandit

zuul.d/project.yaml

@@ -12,6 +12,7 @@
         - ironic-inspector-grenade-dsvm
         - ironic-inspector-tempest
         - ironic-inspector-tempest-discovery
+        - ironic-inspector-tempest-managed
         - ironic-inspector-non-standalone-tempest
         - openstack-tox-functional
         - openstack-tox-functional-py36
@@ -25,6 +26,7 @@
         - ironic-inspector-grenade-dsvm
         - ironic-inspector-tempest
         - ironic-inspector-tempest-discovery
+        - ironic-inspector-tempest-managed
         - ironic-inspector-non-standalone-tempest
         - openstack-tox-functional
         - openstack-tox-functional-py36