From d1ab0a6b71a856bd62545031a7ab6a4a627125c4 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Wed, 16 Oct 2019 14:45:03 +0200 Subject: [PATCH] Create a job with boot and networking managed by ironic The devstack plugin is updated to skip configuring PXE environment if managed mode is requested, so that only ironic's PXE environment is usable. Change-Id: Ib7b83210a02b727d94dfa15bde43e7fee2e51531 Story: #1528920 Task: #37254 --- devstack/plugin.sh | 58 ++++++++++++++++++++----------- zuul.d/ironic-inspector-jobs.yaml | 9 +++++ zuul.d/project.yaml | 2 ++ 3 files changed, 48 insertions(+), 21 deletions(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index da63475f7..fcdc9491c 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -81,6 +81,8 @@ IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK=${IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK:-""} IRONIC_INSPECTOR_OVS_PORT=${IRONIC_INSPECTOR_OVS_PORT:-brbm-inspector} IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE=${IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE:-""} IRONIC_INSPECTOR_POWER_OFF=${IRONIC_INSPECTOR_POWER_OFF:-True} +IRONIC_INSPECTOR_MANAGED_BOOT=$(trueorfalse False IRONIC_INSPECTOR_MANAGED_BOOT) +IRONIC_INSPECTION_NET_NAME=${IRONIC_INSPECTION_NET_NAME:-$IRONIC_CLEAN_NET_NAME} if is_service_enabled swift; then DEFAULT_DATA_STORE=swift else @@ -154,7 +156,8 @@ function start_inspector { function is_inspector_dhcp_required { [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]] || \ - [[ "${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}" != "noop" ]] + [[ "${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}" != "noop" ]] && \ + [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "False" ]] } function start_inspector_dhcp { @@ -335,6 +338,15 @@ function configure_inspector { iniset "$IRONIC_CONF_FILE" inspector enabled True iniset "$IRONIC_CONF_FILE" inspector service_url $IRONIC_INSPECTOR_URI + if [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "True" ]]; then + iniset "$IRONIC_CONF_FILE" neutron inspection_network $IRONIC_INSPECTION_NET_NAME + iniset "$IRONIC_CONF_FILE" inspector require_managed_boot True + iniset "$IRONIC_CONF_FILE" inspector extra_kernel_params \ + "ipa-inspection-collectors=\"$IRONIC_INSPECTOR_COLLECTORS\"" + # In this mode we do not have our own PXE environment, so do not accept + # requests without manage_boot=False. + inspector_iniset DEFAULT can_manage_boot False + fi setup_logging $IRONIC_INSPECTOR_CONF_FILE DEFAULT @@ -415,29 +427,33 @@ EOF } function prepare_environment { - prepare_tftp create_ironic_inspector_cache_dir - if [[ "$IRONIC_BAREMETAL_BASIC_OPS" == "True" && "$IRONIC_IS_HARDWARE" == "False" ]]; then - sudo ip link add $IRONIC_INSPECTOR_OVS_PORT type veth peer name $IRONIC_INSPECTOR_INTERFACE - sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT up - sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT mtu $PUBLIC_BRIDGE_MTU - sudo ovs-vsctl add-port $IRONIC_VM_NETWORK_BRIDGE $IRONIC_INSPECTOR_OVS_PORT + if [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "False" ]]; then + prepare_tftp + + if [[ "$IRONIC_BAREMETAL_BASIC_OPS" == "True" && "$IRONIC_IS_HARDWARE" == "False" ]]; then + sudo ip link add $IRONIC_INSPECTOR_OVS_PORT type veth peer name $IRONIC_INSPECTOR_INTERFACE + sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT up + sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT mtu $PUBLIC_BRIDGE_MTU + sudo ovs-vsctl add-port $IRONIC_VM_NETWORK_BRIDGE $IRONIC_INSPECTOR_OVS_PORT + fi + sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE up + sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE mtu $PUBLIC_BRIDGE_MTU + sudo ip addr add $IRONIC_INSPECTOR_INTERNAL_IP_WITH_NET dev $IRONIC_INSPECTOR_INTERFACE + + sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \ + --dport 69 -j ACCEPT + sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \ + --dport $IRONIC_INSPECTOR_PORT -j ACCEPT + + if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then + sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 80 -j ACCEPT + sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 443 -j ACCEPT + fi + else + sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT fi - sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE up - sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE mtu $PUBLIC_BRIDGE_MTU - sudo ip addr add $IRONIC_INSPECTOR_INTERNAL_IP_WITH_NET dev $IRONIC_INSPECTOR_INTERFACE - - sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \ - --dport 69 -j ACCEPT - sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \ - --dport $IRONIC_INSPECTOR_PORT -j ACCEPT - - if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then - sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 80 -j ACCEPT - sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 443 -j ACCEPT - fi - } # create_ironic_inspector_cache_dir() - Part of the prepare_environment() process diff --git a/zuul.d/ironic-inspector-jobs.yaml b/zuul.d/ironic-inspector-jobs.yaml index d88bfb9dc..bcf2815c8 100644 --- a/zuul.d/ironic-inspector-jobs.yaml +++ b/zuul.d/ironic-inspector-jobs.yaml @@ -73,6 +73,15 @@ IRONIC_INSPECTOR_DHCP_FILTER: dnsmasq IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE: database +- job: + name: ironic-inspector-tempest-managed + description: A job with boot managed by ironic + parent: ironic-inspector-base + vars: + devstack_localrc: + IRONIC_INSPECTOR_MANAGED_BOOT: True + IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK: '' + - job: # Security testing for known issues name: ironic-inspector-tox-bandit diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index eaa3d41fc..55b7fe561 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -12,6 +12,7 @@ - ironic-inspector-grenade-dsvm - ironic-inspector-tempest - ironic-inspector-tempest-discovery + - ironic-inspector-tempest-managed - ironic-inspector-non-standalone-tempest - openstack-tox-functional - openstack-tox-functional-py36 @@ -25,6 +26,7 @@ - ironic-inspector-grenade-dsvm - ironic-inspector-tempest - ironic-inspector-tempest-discovery + - ironic-inspector-tempest-managed - ironic-inspector-non-standalone-tempest - openstack-tox-functional - openstack-tox-functional-py36