From fdf6f89a231870fc230c4b15caf098be34d498f1 Mon Sep 17 00:00:00 2001
From: Vasyl Saienko <vsaienko@mirantis.com>
Date: Wed, 12 Apr 2017 13:51:46 +0300
Subject: [PATCH] [Grenade]: Do not run ir-api on primary node after upgrade

Ironic upgrade process has pre-requirement that ironic-conductors
should be upgraded before ironic-api. Grenade is launched on primary
node, where we have ir-api and ir-cond runnning. Do not start ir-api
on primary node after upgrade to avoid situation when we have new ir-api
(primary) and old ir-cond (subnode) as it is not allowed by upgrade
procedure. Instead redirect all requests destinied to ir-api on primary
node to subnode.

Depends-On: I026121121059768aa74389add7eee6e63fdb214d

Change-Id: I9e496353a1d3d6547e4881f96fb187e488cff83f
---
 .../files/apache-ironic-api-redirect.template | 21 +++++++++++
 devstack/lib/ironic                           |  4 ++
 devstack/upgrade/upgrade.sh                   | 37 +++++++++++++++----
 3 files changed, 55 insertions(+), 7 deletions(-)
 create mode 100644 devstack/files/apache-ironic-api-redirect.template

diff --git a/devstack/files/apache-ironic-api-redirect.template b/devstack/files/apache-ironic-api-redirect.template
new file mode 100644
index 0000000000..a4dfcbbac5
--- /dev/null
+++ b/devstack/files/apache-ironic-api-redirect.template
@@ -0,0 +1,21 @@
+# Licensed under the Apache License, Version 1.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# This is an example Apache2 configuration file for using the
+# Ironic API through mod_wsgi.  This version assumes you are
+# running devstack to configure the software.
+
+Listen %IRONIC_SERVICE_PORT%
+
+<VirtualHost *:%IRONIC_SERVICE_PORT%>
+    Redirect 307 / %IRONIC_SERVICE_PROTOCOL%://%IRONIC_SERVICE_HOST%:%IRONIC_SERVICE_PORT%/
+</VirtualHost>
diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index 737934de8f..17b6d7cf60 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -1705,6 +1705,10 @@ function configure_iptables {
     # To use named /baremetal endpoint we should open default apache port
     if [[ "$IRONIC_USE_MOD_WSGI" == "False" ]]; then
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
+        # open ironic API on baremetal network
+        sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
+        # allow IPA to connect to ironic API on subnode
+        sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
     else
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 80 -j ACCEPT || true
     fi
diff --git a/devstack/upgrade/upgrade.sh b/devstack/upgrade/upgrade.sh
index a40f645982..156f3e5703 100755
--- a/devstack/upgrade/upgrade.sh
+++ b/devstack/upgrade/upgrade.sh
@@ -71,9 +71,35 @@ stack_install_service ironic
 # calls upgrade-ironic for specific release
 upgrade_project ironic $RUN_DIR $BASE_DEVSTACK_BRANCH $TARGET_DEVSTACK_BRANCH
 
-
 $IRONIC_BIN_DIR/ironic-dbsync --config-file=$IRONIC_CONF_FILE
 
+iniset $IRONIC_CONF_FILE DEFAULT pin_release_version ${BASE_DEVSTACK_BRANCH#*/}
+
+ensure_started='ironic-conductor nova-compute '
+ensure_stopped=''
+# Don't succeed unless the services come up
+logs_exist="ir-cond"
+# Multinode grenade is designed to upgrade services only on primary node. And there is no way to manipulate
+# subnode during grenade phases. With this after upgrade we can have upgraded (new) services on primary
+# node and not upgraded (old) services on subnode.
+# According to Ironic upgrade procedure, we shouldn't have upgraded (new) ironic-api and not upgraded (old)
+# ironic-conductor. By setting redirect of API requests from primary node to subnode during upgrade
+# allow to satisfy ironic upgrade requirements.
+if [[ "$HOST_TOPOLOGY_ROLE" == 'primary' ]]; then
+    disable_service ir-api
+    ensure_stopped+='ironic-api'
+    ironic_apache_conf=$(apache_site_config_for ironic-api-redirect)
+    sudo cp $IRONIC_DEVSTACK_FILES_DIR/apache-ironic-api-redirect.template $ironic_apache_conf
+    sudo sed -e "
+        s|%IRONIC_SERVICE_PORT%|$IRONIC_SERVICE_PORT|g;
+        s|%IRONIC_SERVICE_PROTOCOL%|$IRONIC_SERVICE_PROTOCOL|g;
+        s|%IRONIC_SERVICE_HOST%|$IRONIC_PROVISION_SUBNET_SUBNODE_IP|g;
+    " -i $ironic_apache_conf
+    enable_apache_site ironic-api-redirect
+else
+    ensure_started+='ironic-api '
+fi
+
 start_ironic
 
 # NOTE(vsaienko) installing ironic service triggers apache restart, that
@@ -82,14 +108,11 @@ stop_nova_compute || true
 wait_for_keystone
 start_nova_compute
 
-# Don't succeed unless the services come up
-logs_exist="ir-cond"
-
-if [[ "$IRONIC_USE_MOD_WSGI" != "True" ]]; then
-    logs_exist+=" ir-api"
+if [[ -n "$ensure_stopped" ]]; then
+    ensure_services_stopped $ensure_stopped
 fi
 
-ensure_services_started ironic-api ironic-conductor
+ensure_services_started $ensure_started
 ensure_logs_exist $logs_exist
 
 # We need these steps only in case of flat-network