openstack/kolla-ansible
Code Issues Proposed changes

Remove ironic-inspector deployment

Browse Source 
Ironic Inspector has been retired and its functionality has been
moved to Ironic.

Added a change to service-ks-register to make password optional
(to able to remove user without a password being passed in).

Using the opportunity - increasing CI coverage to include
inspection.

Change-Id: If178c23249370c7c69744843737e61a6309d6a19
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
This commit is contained in:
Michal Nasiadka
2025-06-05 15:22:49 +01:00
parent 58b83afc64
commit cbe6fe7cef
44 changed files with 206 additions and 496 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ansible/group_vars/all.yml
View File

@@ -481,13 +481,6 @@ ironic_public_endpoint: "{{ ironic_external_fqdn | kolla_url(public_protocol, ir
ironic_api_port: "6385"
ironic_api_listen_port: "{{ ironic_api_port }}"
ironic_api_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else ironic_api_port }}"
ironic_inspector_internal_fqdn: "{{ kolla_internal_fqdn }}"
ironic_inspector_external_fqdn: "{{ kolla_external_fqdn }}"
ironic_inspector_internal_endpoint: "{{ ironic_inspector_internal_fqdn | kolla_url(internal_protocol, ironic_inspector_port) }}"
ironic_inspector_public_endpoint: "{{ ironic_inspector_external_fqdn | kolla_url(public_protocol, ironic_inspector_public_port) }}"
ironic_inspector_port: "5050"
ironic_inspector_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else ironic_inspector_port }}"
ironic_inspector_listen_port: "{{ ironic_inspector_port }}"
ironic_http_port: "8089"
ironic_prometheus_exporter_port: "9608"
@@ -877,7 +870,6 @@ enable_horizon_zun: "{{ enable_zun | bool }}"
enable_influxdb: "{{ enable_cloudkitty | bool and cloudkitty_storage_backend == 'influxdb' }}"
enable_ironic: "no"
enable_ironic_dnsmasq: "{{ enable_ironic | bool }}"
enable_ironic_inspector: "no"
enable_ironic_neutron_agent: "no"
enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}"
enable_iscsid: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}"

2
ansible/inventory/all-in-one
View File

@@ -351,7 +351,7 @@ ironic
[ironic-conductor:children]
ironic
[ironic-inspector:children]
[ironic-dnsmasq:children]
ironic
[ironic-tftp:children]

2
ansible/inventory/multinode
View File

@@ -359,7 +359,7 @@ ironic
[ironic-conductor:children]
ironic
[ironic-inspector:children]
[ironic-dnsmasq:children]
ironic
[ironic-tftp:children]

7
ansible/roles/bifrost/defaults/main.yml
View File

@@ -11,10 +11,3 @@ bifrost_deploy_image_full: "{{ bifrost_deploy_image }}:{{ bifrost_deploy_tag }}"
bifrost_deploy_container_proxy: "{{ container_proxy }}"
bifrost_deploy_verbosity: "-vvvv"
# Whether to enable the legacy ironic-inspector service
# NOTE(wszumski): Bifrost plans to remove this option once the native in-band
# inspection reaches feature parity. Please see:
# https://bugs.launchpad.net/kolla/+bug/2054685 which contains links for
# tracking the progress.
bifrost_enable_ironic_inspector: true

2
ansible/roles/bifrost/tasks/bootstrap.yml
View File

@@ -8,8 +8,6 @@
{{ kolla_container_engine }} exec bifrost_deploy
bash -c 'mkdir -p /var/log/kolla/ironic &&
chown ironic:ironic /var/log/kolla/ironic &&
mkdir -p /var/log/kolla/ironic-inspector &&
chown ironic:ironic /var/log/kolla/ironic-inspector &&
mkdir -p /var/log/kolla/nginx &&
chown {{ nginx_user }}:{{ nginx_user }} /var/log/kolla/nginx'

1
ansible/roles/bifrost/tasks/stop.yml
View File

@@ -17,7 +17,6 @@
command: "{{ kolla_container_engine }} exec bifrost_deploy systemctl stop {{ item }}.service"
with_items:
- ironic
- ironic-inspector
- mariadb
- nginx

6
ansible/roles/bifrost/templates/bifrost.yml.j2
View File

@@ -2,9 +2,6 @@
# Ironic log directory.
ironic_log_dir: "/var/log/kolla/ironic"
# Ironic inspector log directory.
inspector_log_dir: "/var/log/kolla/ironic-inspector"
# Ironic Python Agent deploy logs directory
ironic_agent_deploy_logs_local_path: "/var/log/kolla/ironic/deploy"
@@ -34,8 +31,5 @@ generate_tls: true
# the default /etc/bifrost is not.
tls_root: "/etc/bifrost-certs"
# Whether to enable the legacy ironic-inspector service.
enable_inspector: "{{ bifrost_enable_ironic_inspector }}"
# Disable firewalld
use_firewalld: false

1
ansible/roles/common/tasks/config.yml
View File

@@ -80,7 +80,6 @@
- { name: "horizon", enabled: "{{ enable_horizon | bool }}" }
- { name: "influxdb", enabled: "{{ enable_influxdb | bool }}" }
- { name: "ironic", enabled: "{{ enable_ironic | bool }}" }
- { name: "ironic-inspector", enabled: "{{ enable_ironic | bool }}" }
- { name: "keystone", enabled: "{{ enable_keystone | bool }}" }
- { name: "kuryr", enabled: "{{ enable_kuryr | bool }}" }
- { name: "magnum", enabled: "{{ enable_magnum | bool }}" }

3
ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2
View File

@@ -1,3 +0,0 @@
"/var/log/kolla/ironic-inspector/*.log"
{
}

2
ansible/roles/fluentd/defaults/main.yml
View File

@@ -109,8 +109,6 @@ fluentd_input_openstack_services:
enabled: "{{ enable_horizon | bool }}"
- name: ironic
enabled: "{{ enable_ironic | bool }}"
- name: ironic-inspector
enabled: "{{ enable_ironic | bool }}"
- name: keystone
enabled: "{{ enable_keystone | bool }}"
- name: kuryr

2
ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2
View File

@@ -118,7 +118,7 @@
</rule>
<rule>
key programname
pattern ^(ironic-api|ironic-conductor|ironic-inspector)$
pattern ^(ironic-api|ironic-conductor)$
tag openstack_python
</rule>
<rule>

98
ansible/roles/ironic/defaults/main.yml
View File

@@ -38,33 +38,6 @@ ironic_services:
volumes: "{{ ironic_conductor_default_volumes + ironic_conductor_extra_volumes + lookup('vars', 'run_default_volumes_' + kolla_container_engine) }}"
dimensions: "{{ ironic_conductor_dimensions }}"
healthcheck: "{{ ironic_conductor_healthcheck }}"
ironic-inspector:
container_name: ironic_inspector
group: ironic-inspector
enabled: "{{ enable_ironic_inspector }}"
image: "{{ ironic_inspector_image_full }}"
privileged: True
volumes: "{{ ironic_inspector_default_volumes + ironic_inspector_extra_volumes }}"
dimensions: "{{ ironic_inspector_dimensions }}"
healthcheck: "{{ ironic_inspector_healthcheck }}"
haproxy:
ironic_inspector:
enabled: "{{ enable_ironic }}"
mode: "http"
external: false
port: "{{ ironic_inspector_port }}"
listen_port: "{{ ironic_inspector_listen_port }}"
backend_http_extra:
- "option httpchk"
ironic_inspector_external:
enabled: "{{ enable_ironic }}"
mode: "http"
external: true
external_fqdn: "{{ ironic_inspector_external_fqdn }}"
port: "{{ ironic_inspector_public_port }}"
listen_port: "{{ ironic_inspector_listen_port }}"
backend_http_extra:
- "option httpchk"
ironic-tftp:
container_name: ironic_tftp
group: ironic-tftp
@@ -87,7 +60,7 @@ ironic_services:
healthcheck: "{{ ironic_http_healthcheck }}"
ironic-dnsmasq:
container_name: ironic_dnsmasq
group: ironic-inspector
group: ironic-dnsmasq
enabled: "{{ enable_ironic_dnsmasq }}"
cap_add:
- NET_ADMIN
@@ -117,34 +90,21 @@ ironic_database_name: "ironic"
ironic_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}ironic{% endif %}"
ironic_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}"
ironic_inspector_database_name: "ironic_inspector"
ironic_inspector_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}ironic_inspector{% endif %}"
ironic_inspector_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}"
####################
# Database sharding
####################
ironic_database_shard_root_user: "{% if enable_proxysql | bool %}root_shard_{{ ironic_database_shard_id }}{% else %}{{ database_user }}{% endif %}"
ironic_database_shard_id: "{{ mariadb_default_database_shard_id | int }}"
ironic_inspector_database_shard_id: "{{ ironic_database_shard_id | int }}"
ironic_database_shard:
users:
- user: "{{ ironic_database_user }}"
password: "{{ ironic_database_password }}"
shard_id: "{{ ironic_database_shard_id }}"
- user: "{{ ironic_inspector_database_user }}"
password: "{{ ironic_inspector_database_password }}"
shard_id: "{{ ironic_inspector_database_shard_id }}"
rules:
- schema: "{{ ironic_database_name }}"
shard_id: "{{ ironic_database_shard_id }}"
- user: "{{ ironic_database_user }}"
shard_id: "{{ ironic_database_shard_id }}"
- schema: "{{ ironic_inspector_database_name }}"
shard_id: "{{ ironic_inspector_database_shard_id }}"
- user: "{{ ironic_inspector_database_user }}"
shard_id: "{{ ironic_inspector_database_shard_id }}"
####################
# Docker
@@ -163,10 +123,6 @@ ironic_pxe_image: "{{ docker_image_url }}ironic-pxe"
ironic_pxe_tag: "{{ ironic_tag }}"
ironic_pxe_image_full: "{{ ironic_pxe_image }}:{{ ironic_pxe_tag }}"
ironic_inspector_image: "{{ docker_image_url }}ironic-inspector"
ironic_inspector_tag: "{{ ironic_tag }}"
ironic_inspector_image_full: "{{ ironic_inspector_image }}:{{ ironic_inspector_tag }}"
ironic_dnsmasq_image: "{{ docker_image_url }}dnsmasq"
ironic_dnsmasq_tag: "{{ ironic_tag }}"
ironic_dnsmasq_image_full: "{{ ironic_dnsmasq_image }}:{{ ironic_dnsmasq_tag }}"
@@ -179,7 +135,6 @@ ironic_api_dimensions: "{{ default_container_dimensions }}"
ironic_conductor_dimensions: "{{ default_container_dimensions }}"
ironic_tftp_dimensions: "{{ default_container_dimensions }}"
ironic_http_dimensions: "{{ default_container_dimensions }}"
ironic_inspector_dimensions: "{{ default_container_dimensions }}"
ironic_dnsmasq_dimensions: "{{ default_container_dimensions }}"
ironic_prometheus_exporter_dimensions: "{{ default_container_dimensions }}"
@@ -209,19 +164,6 @@ ironic_conductor_healthcheck:
test: "{% if ironic_conductor_enable_healthchecks | bool %}{{ ironic_conductor_healthcheck_test }}{% else %}NONE{% endif %}"
timeout: "{{ ironic_conductor_healthcheck_timeout }}"
ironic_inspector_enable_healthchecks: "{{ enable_container_healthchecks }}"
ironic_inspector_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
ironic_inspector_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
ironic_inspector_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
ironic_inspector_healthcheck_test: ["CMD-SHELL", "healthcheck_port ironic-inspector {{ om_rpc_port }}"]
ironic_inspector_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
ironic_inspector_healthcheck:
interval: "{{ ironic_inspector_healthcheck_interval }}"
retries: "{{ ironic_inspector_healthcheck_retries }}"
start_period: "{{ ironic_inspector_healthcheck_start_period }}"
test: "{% if ironic_inspector_enable_healthchecks | bool %}{{ ironic_inspector_healthcheck_test }}{% else %}NONE{% endif %}"
timeout: "{{ ironic_inspector_healthcheck_timeout }}"
ironic_http_enable_healthchecks: "{{ enable_container_healthchecks }}"
ironic_http_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
ironic_http_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
@@ -266,19 +208,12 @@ ironic_http_default_volumes:
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
- "ironic:/var/lib/ironic"
- "kolla_logs:/var/log/kolla"
ironic_inspector_default_volumes:
- "{{ node_config_directory }}/ironic-inspector/:{{ container_config_directory }}/:ro"
- "/etc/localtime:/etc/localtime:ro"
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
- "kolla_logs:/var/log/kolla"
- "ironic_inspector_dhcp_hosts:/var/lib/ironic-inspector/dhcp-hostsdir"
- "{{ kolla_dev_repos_directory ~ '/ironic-inspector:/dev-mode/ironic-inspector' if ironic_inspector_dev_mode | bool else '' }}"
ironic_dnsmasq_default_volumes:
- "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro"
- "/etc/localtime:/etc/localtime:ro"
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
- "kolla_logs:/var/log/kolla"
- "ironic_inspector_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro"
- "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro"
ironic_prometheus_exporter_default_volumes:
- "{{ node_config_directory }}/ironic-prometheus-exporter/:{{ container_config_directory }}/:ro"
- "/etc/localtime:/etc/localtime:ro"
@@ -291,7 +226,6 @@ ironic_api_extra_volumes: "{{ ironic_extra_volumes }}"
ironic_conductor_extra_volumes: "{{ ironic_extra_volumes }}"
ironic_tftp_extra_volumes: "{{ ironic_extra_volumes }}"
ironic_http_extra_volumes: "{{ ironic_extra_volumes }}"
ironic_inspector_extra_volumes: "{{ ironic_extra_volumes }}"
ironic_dnsmasq_extra_volumes: "{{ ironic_extra_volumes }}"
ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}"
@@ -299,13 +233,10 @@ ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}"
# OpenStack
####################
ironic_inspector_keystone_user: "ironic-inspector"
ironic_logging_debug: "{{ openstack_logging_debug }}"
openstack_ironic_auth: "{{ openstack_auth }}"
openstack_ironic_inspector_auth: "{{ openstack_auth }}"
ironic_api_workers: "{{ openstack_service_workers }}"
#########
@@ -323,8 +254,8 @@ ironic_http_url: "http://{{ ironic_http_interface_address | put_address_in_conte
ironic_tftp_listen_address: "{{ ironic_tftp_interface_address }}"
ironic_enable_rolling_upgrade: "yes"
ironic_upgrade_skip_wait_check: false
ironic_inspector_kernel_cmdline_extras: []
ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}noop{% endif %}"
ironic_kernel_cmdline_extras: []
ironic_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}noop{% endif %}"
ironic_prometheus_exporter_data_dir: "/var/lib/ironic-prometheus-exporter/data"
ironic_prometheus_exporter_sensor_data_interval: 30
ironic_prometheus_exporter_sensor_data_undeployed_nodes: "true"
@@ -333,13 +264,10 @@ ironic_prometheus_exporter_sensor_data_undeployed_nodes: "true"
####################
## Kolla
#####################
ironic_inspector_git_repository: "{{ kolla_dev_repos_git }}/ironic-inspector"
ironic_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
ironic_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
ironic_dev_mode: "{{ kolla_dev_mode }}"
ironic_inspector_dev_mode: "{{ ironic_dev_mode }}"
ironic_source_version: "{{ kolla_source_version }}"
ironic_inspector_source_version: "{{ ironic_source_version }}"
ironic_agent_files_directory: "{{ node_custom_config }}"
@@ -363,34 +291,28 @@ ironic_ks_services:
endpoints:
- {'interface': 'internal', 'url': '{{ ironic_internal_endpoint }}'}
- {'interface': 'public', 'url': '{{ ironic_public_endpoint }}'}
# TODO(mnasiadka): Remove in Gazpacho/2026.1
- name: "ironic-inspector"
type: "baremetal-introspection"
description: "Ironic Inspector baremetal introspection service"
endpoints:
- {'interface': 'internal', 'url': '{{ ironic_inspector_internal_endpoint }}'}
- {'interface': 'public', 'url': '{{ ironic_inspector_public_endpoint }}'}
state: absent
endpoints: []
ironic_ks_users:
- project: "service"
user: "{{ ironic_keystone_user }}"
password: "{{ ironic_keystone_password }}"
role: "admin"
# TODO(mnasiadka): Remove in Gazpacho/2026.1
- project: "service"
user: "{{ ironic_inspector_keystone_user }}"
password: "{{ ironic_inspector_keystone_password }}"
user: "{{ ironic_inspector_keystone_user | default('ironic-inspector') }}"
role: "admin"
state: absent
ironic_ks_user_roles:
- project: "service"
user: "{{ ironic_keystone_user }}"
role: "service"
- project: "service"
user: "{{ ironic_inspector_keystone_user }}"
role: "service"
state: "absent"
- system: "all"
user: "{{ ironic_inspector_keystone_user }}"
role: "service"
####################
# TLS

15
ansible/roles/ironic/handlers/main.yml
View File

@@ -28,21 +28,6 @@
dimensions: "{{ service.dimensions }}"
healthcheck: "{{ service.healthcheck | default(omit) }}"
- name: Restart ironic-inspector container
vars:
service_name: "ironic-inspector"
service: "{{ ironic_services[service_name] }}"
become: true
kolla_container:
action: "recreate_or_restart_container"
common_options: "{{ docker_common_options }}"
name: "{{ service.container_name }}"
image: "{{ service.image }}"
privileged: "{{ service.privileged | default(False) }}"
volumes: "{{ service.volumes | reject('equalto', '') | list }}"
dimensions: "{{ service.dimensions }}"
healthcheck: "{{ service.healthcheck | default(omit) }}"
- name: Restart ironic-tftp container
vars:
service_name: "ironic-tftp"

6
ansible/roles/ironic/tasks/bootstrap.yml
View File

@@ -16,8 +16,6 @@
with_items:
- database_name: "{{ ironic_database_name }}"
group: "ironic-api"
- database_name: "{{ ironic_inspector_database_name }}"
group: "ironic-inspector"
when:
- not use_preconfigured_databases | bool
- inventory_hostname in groups[item.group]
@@ -45,10 +43,6 @@
database_user: "{{ ironic_database_user }}"
database_password: "{{ ironic_database_password }}"
group: "ironic-api"
- database_name: "{{ ironic_inspector_database_name }}"
database_user: "{{ ironic_inspector_database_user }}"
database_password: "{{ ironic_inspector_database_password }}"
group: "ironic-inspector"
loop_control:
label: "{{ item.database_name }}"
when:

23
ansible/roles/ironic/tasks/bootstrap_service.yml
View File

@@ -24,29 +24,6 @@
delegate_to: "{{ groups[ironic_api.group][0] }}"
when: inventory_hostname in groups[ironic_api.group]
- name: Running Ironic Inspector bootstrap container
vars:
ironic_inspector: "{{ ironic_services['ironic-inspector'] }}"
become: true
kolla_container:
action: "start_container"
common_options: "{{ docker_common_options }}"
detach: False
environment:
KOLLA_BOOTSTRAP:
KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
image: "{{ ironic_inspector.image }}"
labels:
BOOTSTRAP:
name: "bootstrap_ironic_inspector"
restart_policy: oneshot
volumes: "{{ ironic_inspector.volumes | reject('equalto', '') | list }}"
run_once: True
delegate_to: "{{ groups[ironic_inspector.group][0] }}"
when:
- inventory_hostname in groups[ironic_inspector.group]
- enable_ironic_inspector | bool
- name: Running ironic-tftp bootstrap container
vars:
service: "{{ ironic_services['ironic-tftp'] }}"

9
ansible/roles/ironic/tasks/clone.yml
View File

@@ -6,12 +6,3 @@
dest: "{{ kolla_dev_repos_directory }}/{{ project_name }}"
update: "{{ ironic_dev_repos_pull }}"
version: "{{ ironic_source_version }}"
- name: Cloning ironic-inspector source repository for development
become: true
git:
repo: "{{ ironic_inspector_git_repository }}"
dest: "{{ kolla_dev_repos_directory }}/ironic-inspector"
update: "{{ ironic_dev_repos_pull }}"
version: "{{ ironic_inspector_source_version }}"
when: ironic_inspector_dev_mode | bool

99
ansible/roles/ironic/tasks/config.yml
View File

@@ -21,18 +21,6 @@
- "{{ node_custom_config }}/ironic/"
skip: true
- name: Check if Ironic Inspector policies shall be overwritten
stat:
path: "{{ item }}"
delegate_to: localhost
run_once: True
register: ironic_inspector_policy
with_first_found:
- files: "{{ supported_policy_format_list }}"
paths:
- "{{ node_custom_config }}/ironic/inspector/"
skip: true
- name: Set ironic policy file
set_fact:
ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
@@ -40,38 +28,6 @@
when:
- ironic_policy.results
- name: Set ironic-inspector policy file
set_fact:
ironic_inspector_policy_file: "{{ ironic_inspector_policy.results.0.stat.path | basename }}"
ironic_inspector_policy_file_path: "{{ ironic_inspector_policy.results.0.stat.path }}"
when:
- ironic_inspector_policy.results
- name: Check if Ironic Inspector known_devices.yaml shall be overwritten
stat:
path: "{{ node_custom_config }}/ironic-inspector/known_devices.yaml"
delegate_to: localhost
run_once: True
register: ironic_inspector_known_devices
- name: Set known_devices file path
set_fact:
ironic_inspector_known_devices_file_path: "{{ ironic_inspector_known_devices.stat.path }}"
when:
- ironic_inspector_known_devices.stat.exists
- name: Copying over known_devices.yaml
vars:
service: "{{ ironic_services['ironic-inspector'] }}"
template:
src: "{{ ironic_inspector_known_devices_file_path }}"
dest: "{{ node_config_directory }}/ironic-inspector/known_devices.yaml"
mode: "0660"
become: true
when:
- ironic_inspector_known_devices_file_path is defined
- service | service_enabled_and_mapped_to_host
- include_tasks: copy-certs.yml
when:
- ironic_copy_certs | bool
@@ -101,21 +57,6 @@
- item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter" ]
with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
- name: Copying over inspector.conf
vars:
service: "{{ ironic_services['ironic-inspector'] }}"
merge_configs:
sources:
- "{{ role_path }}/templates/ironic-inspector.conf.j2"
- "{{ node_custom_config }}/global.conf"
- "{{ node_custom_config }}/ironic-inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf"
dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf"
mode: "0660"
become: true
when: service | service_enabled_and_mapped_to_host
- name: Copying over dnsmasq.conf
vars:
service: "{{ ironic_services['ironic-dnsmasq'] }}"
@@ -143,8 +84,8 @@
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default"
- "pxelinux.default.j2"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
# Only required when Ironic dnsmasq is in use.
- groups['ironic-dnsmasq'] | length > 0
- service | service_enabled_and_mapped_to_host
- not ironic_dnsmasq_serve_ipxe | bool
@@ -160,8 +101,8 @@
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
# Only required when Ironic dnsmasq is in use.
- groups['ironic-dnsmasq'] | length > 0
- service | service_enabled_and_mapped_to_host
- not ironic_dnsmasq_serve_ipxe | bool
@@ -177,25 +118,25 @@
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
# Only required when Ironic dnsmasq is in use.
- groups['ironic-dnsmasq'] | length > 0
- service | service_enabled_and_mapped_to_host
- name: Copying inspector.ipxe
- name: Copying ipa.ipxe
vars:
service: "{{ ironic_services['ironic-http'] }}"
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-http/inspector.ipxe"
dest: "{{ node_config_directory }}/ironic-http/ipa.ipxe"
mode: "0660"
become: true
with_first_found:
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/inspector.ipxe"
- "{{ node_custom_config }}/ironic/inspector.ipxe"
- "inspector.ipxe.j2"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ipa.ipxe"
- "{{ node_custom_config }}/ironic/ipa.ipxe"
- "ipa.ipxe.j2"
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
# Only required when Ironic dnsmasq is in use.
- groups['ironic-dnsmasq'] | length > 0
- service | service_enabled_and_mapped_to_host
- name: Copying ironic-http-httpd.conf
@@ -240,20 +181,6 @@
- item.key in services_require_policy_json
with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
- name: Copying over existing Ironic Inspector policy file
vars:
services_require_inspector_policy_json:
- ironic-inspector
template:
src: "{{ ironic_inspector_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_inspector_policy_file }}"
mode: "0660"
become: true
when:
- ironic_inspector_policy_file is defined
- item.key in services_require_inspector_policy_json
with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
- name: Copying over ironic-api-wsgi.conf
vars:
service: "{{ ironic_services['ironic-api'] }}"

17
ansible/roles/ironic/tasks/deploy.yml
View File

@@ -15,20 +15,3 @@
- name: Flush handlers
meta: flush_handlers
# NOTE(mgoddard): If inspector was previously configured to use the iptables
# PXE filter, it may leave rules in place that block inspection. Clean them up.
# The iptables Ansible module is not idempotent - it fails if the chain does
# not exist, so use a command instead.
- name: Flush and delete ironic-inspector iptables chain
become: true
command: iptables --{{ item }} ironic-inspector
register: ironic_inspector_chain
with_items:
- flush
- delete-chain
when: ironic_inspector_pxe_filter != 'iptables'
changed_when: ironic_inspector_chain.rc == 0
failed_when:
- ironic_inspector_chain.rc != 0
- "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"

18
ansible/roles/ironic/tasks/precheck.yml
View File

@@ -12,7 +12,6 @@
container_engine: "{{ kolla_container_engine }}"
name:
- ironic_api
- ironic_inspector
- ironic_http
- ironic_prometheus_exporter
check_mode: false
@@ -29,17 +28,6 @@
- container_facts.containers['ironic_api'] is not defined
- inventory_hostname in groups['ironic-api']
- name: Checking free port for Ironic Inspector
wait_for:
host: "{{ api_interface_address }}"
port: "{{ ironic_inspector_listen_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- container_facts.containers['ironic_inspector'] is not defined
- inventory_hostname in groups['ironic-inspector']
- name: Checking free port for Ironic HTTP server
wait_for:
host: "{{ api_interface_address }}"
@@ -63,7 +51,7 @@
- container_facts.containers['ironic_prometheus_exporter'] is not defined
- inventory_hostname in groups['ironic-conductor']
- name: Checking ironic-agent files exist for Ironic Inspector
- name: Checking ironic-agent files exist for Ironic
stat:
path: "{{ ironic_agent_files_directory }}/ironic/{{ item }}"
delegate_to: localhost
@@ -71,8 +59,8 @@
register: result
failed_when: not result.stat.exists
when:
# Only required when Ironic inspector is in use.
- groups['ironic-inspector'] | length > 0
# Only required when Ironic dnsmasq is in use.
- groups['ironic-dnsmasq'] | length > 0
- (not ironic_dnsmasq_serve_ipxe | bool and inventory_hostname in groups['ironic-tftp']) or
(ironic_dnsmasq_serve_ipxe | bool and inventory_hostname in groups['ironic-http'])
with_items:

59
ansible/roles/ironic/tasks/upgrade.yml
View File

@@ -1,6 +1,55 @@
---
# TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
- name: Remove ironic-inspector
become: true
kolla_container:
action: "stop_and_remove_container"
common_options: "{{ docker_common_options }}"
name: "ironic_inspector"
ignore_missing: true
# TODO(mnasiadka): Remove this block in Gazpacho/2026.1 release
- name: Handle volume migration for ironic_dnsmasq
when: enable_ironic_dnsmasq | bool
block:
- name: Stop ironic_dnsmasq container
become: true
kolla_container:
action: "stop_container"
common_options: "{{ docker_common_options }}"
name: "ironic_dnsmasq"
ignore_missing: true
- name: Create ironic_dhcp_hosts volume
become: true
command: "{{ kolla_container_engine }} volume create ironic_dhcp_hosts"
- name: Migrate data from ironic_inspector_dhcp_hosts volume
become: true
vars:
volumes_dir: >-
{{ '/var/lib/docker/volumes' if kolla_container_engine == 'docker'
else '/var/lib/containers/storage/volumes' }}
command: >-
mv {{ volumes_dir }}/ironic_inspector_dhcp_hosts/_data/
{{ volumes_dir }}/ironic_dhcp_hosts/_data
- name: Get Ironic API container facts
become: true
vars:
container_name: "{{ ironic_services['ironic-api'].container_name }}"
kolla_container_facts:
action: get_containers
container_engine: "{{ kolla_container_engine }}"
name:
- "{{ container_name }}"
check_mode: false
register: container_facts
- name: Wait for Ironic nodes not to wait
become: true
vars:
container_name: "{{ ironic_services['ironic-api'].container_name }}"
command: >
{{ kolla_container_engine }} exec kolla_toolbox openstack
--os-interface {{ openstack_interface }}
@@ -25,10 +74,18 @@
select('search', '\\bwait\\b') |
length) == 0
run_once: true
when: not ironic_upgrade_skip_wait_check | bool
when:
- not ironic_upgrade_skip_wait_check | bool
- container_facts.containers[container_name] is defined
- include_tasks: rolling_upgrade.yml
when: ironic_enable_rolling_upgrade | bool
- include_tasks: legacy_upgrade.yml
when: not ironic_enable_rolling_upgrade | bool
# TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
- name: Remove ironic_inspector_dhcp_hosts volume
become: true
command: "{{ kolla_container_engine }} volume rm ironic_inspector_dhcp_hosts"
when: enable_ironic_dnsmasq | bool

6
ansible/roles/ironic/templates/inspector.ipxe.j2 → ansible/roles/ironic/templates/ipa.ipxe.j2
View File

@@ -7,12 +7,12 @@ dhcp || goto retry_dhcp
{% if not enable_neutron | bool %}
# load the MAC-specific file or fail if it's not found
:boot_system
chain pxelinux.cfg/${mac:hexhyp} || goto inspector_ipa
chain pxelinux.cfg/${mac:hexhyp} || goto ipa
{% endif %}
:inspector_ipa
:ipa
:retry_boot
imgfree
kernel --timeout 30000 {{ ironic_http_url }}/ironic-agent.kernel ipa-inspection-callback-url={{ ironic_inspector_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-agent.initramfs {{ ironic_inspector_kernel_cmdline_extras | join(' ') }} || goto retry_boot
kernel --timeout 30000 {{ ironic_http_url }}/ironic-agent.kernel ipa-inspection-callback-url={{ ironic_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-agent.initramfs {{ ironic_kernel_cmdline_extras | join(' ') }} || goto retry_boot
initrd --timeout 30000 {{ ironic_http_url }}/ironic-agent.initramfs || goto retry_boot
boot

4
ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
View File

@@ -25,7 +25,7 @@ dhcp-match=ipxe,175
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
# Client is already running iPXE; move to next stage of chainloading
dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_http_url }}/inspector.ipxe
dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_http_url }}/ipa.ipxe
# Client is PXE booting over EFI without iPXE ROM,
# send EFI version of iPXE chainloader
dhcp-option=tag:efi,tag:!ipxe,option:bootfile-name,{{ ironic_dnsmasq_uefi_ipxe_boot_file }}
@@ -39,6 +39,6 @@ log-facility=/var/log/kolla/ironic/dnsmasq.log
log-dhcp
{% endif %}
{% if ironic_inspector_pxe_filter == 'dnsmasq' %}
{% if ironic_pxe_filter == 'dnsmasq' %}
dhcp-hostsdir=/etc/dnsmasq/dhcp-hostsdir
{% endif %}

6
ansible/roles/ironic/templates/ironic-http.json.j2
View File

@@ -3,7 +3,7 @@
{
"command": "{{ apache_cmd }} -DFOREGROUND",
"config_files": [
{% if groups['ironic-inspector'] | length > 0 %}
{% if groups['ironic-dnsmasq'] | length > 0 %}
{
"source": "{{ container_config_directory }}/ironic-agent.kernel",
"dest": "/var/lib/ironic/httpboot/ironic-agent.kernel",
@@ -17,8 +17,8 @@
"perm": "0644"
},
{
"source": "{{ container_config_directory }}/inspector.ipxe",
"dest": "/var/lib/ironic/httpboot/inspector.ipxe",
"source": "{{ container_config_directory }}/ipa.ipxe",
"dest": "/var/lib/ironic/httpboot/ipa.ipxe",
"owner": "root",
"perm": "0644"
},

103
ansible/roles/ironic/templates/ironic-inspector.conf.j2
View File

@@ -1,103 +0,0 @@
[DEFAULT]
debug = {{ ironic_logging_debug }}
log_dir = /var/log/kolla/ironic-inspector
{% if not ironic_enable_keystone_integration | bool %}
auth_strategy = noauth
{% endif %}
listen_address = {{ api_interface_address }}
listen_port = {{ ironic_inspector_listen_port }}
transport_url = {{ rpc_transport_url }}
[oslo_messaging_notifications]
transport_url = {{ notify_transport_url }}
[oslo_messaging_rabbit]
use_queue_manager = true
heartbeat_in_pthread = false
{% if om_enable_rabbitmq_tls | bool %}
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
rabbit_quorum_queue = true
{% if om_enable_rabbitmq_stream_fanout | bool %}
rabbit_stream_fanout = true
rabbit_qos_prefetch_count = {{ om_rabbitmq_qos_prefetch_count }}
{% endif %}
rabbit_transient_quorum_queue = true
[ironic]
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_internal_url }}
auth_type = password
user_domain_id = {{ default_user_domain_id }}
username = {{ ironic_inspector_keystone_user }}
password = {{ ironic_inspector_keystone_password }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
region_name = {{ openstack_region_name }}
system_scope = all
{% else %}
auth_type = none
endpoint_override = {{ ironic_internal_endpoint }}
{% endif %}
{% if ironic_enable_keystone_integration | bool %}
[keystone_authtoken]
service_type = baremetal-introspection
www_authenticate_uri = {{ keystone_public_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ ironic_inspector_keystone_user }}
password = {{ ironic_inspector_keystone_password }}
cafile = {{ openstack_cacert }}
region_name = {{ openstack_region_name }}
memcache_security_strategy = {{ memcache_security_strategy }}
memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
{% endif %}
{% if ironic_policy_file is defined %}
[oslo_policy]
policy_file = {{ ironic_policy_file }}
{% endif %}
[database]
connection = mysql+pymysql://{{ ironic_inspector_database_user }}:{{ ironic_inspector_database_password }}@{{ ironic_inspector_database_address }}/{{ ironic_inspector_database_name }}{{ '?ssl_ca=' ~ openstack_cacert if ironic_database_enable_tls_internal | bool }}
connection_recycle_time = {{ database_connection_recycle_time }}
max_pool_size = {{ database_max_pool_size }}
[processing]
ramdisk_logs_dir = /var/log/kolla/ironic-inspector
[pxe_filter]
driver = {{ ironic_inspector_pxe_filter }}
{% if ironic_inspector_pxe_filter == 'iptables' %}
[iptables]
dnsmasq_interface = {{ ironic_dnsmasq_interface }}
{% endif %}
[coordination]
{% if ironic_coordination_backend == 'redis' %}
backend_url = {{ redis_connection_string }}
{% elif ironic_coordination_backend == 'etcd' %}
# NOTE(yoctozepto): we must use etcd3gw (aka etcd3+http) due to issues with alternative (etcd3) and eventlet (as used by cinder)
# see https://bugs.launchpad.net/kolla-ansible/+bug/1854932
# and https://review.opendev.org/466098 for details
# NOTE(jan.gutter): etcd v3.4 removed the default `v3alpha` api_version. Until
# tooz defaults to a newer version, we should explicitly specify `v3`
backend_url = etcd3+{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ etcd_client_port }}?api_version=v3{% if openstack_cacert %}?ca_cert={{ openstack_cacert }}{% endif %}
{% endif %}
{% if ironic_inspector_known_devices_file_path is defined %}
[accelerators]
known_devices = /etc/ironic-inspector/known_devices.yaml
{% endif %}
[oslo_concurrency]
lock_path = /var/lib/ironic-inspector/tmp

28
ansible/roles/ironic/templates/ironic-inspector.json.j2
View File

@@ -1,28 +0,0 @@
{
"command": "ironic-inspector --config-file /etc/ironic-inspector/inspector.conf",
"config_files": [
{
"source": "{{ container_config_directory }}/inspector.conf",
"dest": "/etc/ironic-inspector/inspector.conf",
"owner": "ironic-inspector",
"perm": "0600"
}{% if ironic_inspector_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ ironic_inspector_policy_file }}",
"dest": "/etc/ironic-inspector/{{ ironic_inspector_policy_file }}",
"owner": "ironic-inspector",
"perm": "0600"
}{% endif %}{% if ironic_inspector_known_devices_file_path is defined %},
{
"source": "{{ container_config_directory }}/known_devices.yaml",
"dest": "/etc/ironic-inspector/known_devices.yaml",
"owner": "ironic-inspector",
}{% endif %}{% if kolla_copy_ca_into_containers | bool %},
{
"source": "{{ container_config_directory }}/ca-certificates",
"dest": "/var/lib/kolla/share/ca-certificates",
"owner": "root",
"perm": "0600"
}{% endif %}
]
}

2
ansible/roles/ironic/templates/ironic-tftp.json.j2
View File

@@ -4,7 +4,7 @@
{
"command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address {{ ironic_tftp_listen_address }}:69 --map-file /map-file /var/lib/ironic/tftpboot",
"config_files": [
{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %}
{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-dnsmasq'] | length > 0 %}
{
"source": "{{ container_config_directory }}/ironic-agent.kernel",
"dest": "/var/lib/ironic/tftpboot/ironic-agent.kernel",

17
ansible/roles/ironic/templates/ironic.conf.j2
View File

@@ -155,23 +155,6 @@ valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% endif %}
[inspector]
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = default
project_name = service
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal
cafile = {{ openstack_cacert }}
{% else %}
auth_type = none
endpoint_override = {{ ironic_inspector_internal_endpoint }}
{% endif %}
[service_catalog]
{% if ironic_enable_keystone_integration | bool %}
auth_url = {{ keystone_internal_url }}

2
ansible/roles/ironic/templates/pxelinux.default.j2
View File

@@ -3,6 +3,6 @@ default introspect
label introspect
kernel ironic-agent.kernel
append initrd=ironic-agent.initramfs ipa-inspection-callback-url={{ ironic_inspector_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes {{ ironic_inspector_kernel_cmdline_extras | join(' ') }}
append initrd=ironic-agent.initramfs ipa-inspection-callback-url={{ ironic_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes {{ ironic_kernel_cmdline_extras | join(' ') }}
ipappend 3

13
ansible/roles/loadbalancer/tasks/precheck.yml
View File

@@ -435,19 +435,6 @@
- haproxy_stat.find('ironic_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Ironic Inspector HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ ironic_inspector_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_ironic | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('ironic_inspector') == -1
- haproxy_vip_prechecks
- name: Checking free port for Keystone Internal HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"

9
ansible/roles/loadbalancer/tasks/upgrade.yml
View File

@@ -27,4 +27,13 @@
when:
- inventory_hostname in groups['loadbalancer']
# TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
- name: Removing config for ironic-inspector
file:
path: "{{ node_config_directory }}/haproxy/services.d/ironic-inspector.cfg"
state: "absent"
become: true
when:
- inventory_hostname in groups['loadbalancer']
- import_tasks: deploy.yml

2
ansible/roles/prometheus/defaults/main.yml
View File

@@ -250,8 +250,6 @@ prometheus_blackbox_exporter_endpoints_default:
- endpoints:
- "ironic:os_endpoint:{{ ironic_public_endpoint }}"
- "{{ ('ironic_internal:os_endpoint:' + ironic_internal_endpoint) if not kolla_same_external_internal_vip | bool }}"
- "ironic_inspector:os_endpoint:{{ ironic_inspector_public_endpoint }}"
- "{{ ('ironic_inspector_internal:os_endpoint:' + ironic_inspector_internal_endpoint) if not kolla_same_external_internal_vip | bool }}"
enabled: "{{ enable_ironic | bool }}"
- endpoints:
- "keystone:os_endpoint:{{ keystone_public_url }}"

10
ansible/roles/service-ks-register/tasks/main.yml
View File

@@ -64,15 +64,19 @@
retries: "{{ service_ks_register_retries }}"
delay: "{{ service_ks_register_delay }}"
- name: "{{ project_name }} | Creating users"
- name: "{{ project_name }} | Creating/deleting users"
kolla_toolbox:
container_engine: "{{ kolla_container_engine }}"
module_name: openstack.cloud.identity_user
module_args:
default_project: "{{ item.project }}"
name: "{{ item.user }}"
password: "{{ item.password }}"
update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
password: "{{ item.password | default(omit) }}"
update_password: >-
{{ 'always' if
update_keystone_service_user_passwords | bool and
item.password is defined
else 'on_create' }}
domain: "{{ service_ks_register_domain }}"
region_name: "{{ service_ks_register_region_name }}"
auth: "{{ service_ks_register_auth }}"

1
ansible/site.yml
View File

@@ -552,7 +552,6 @@
hosts:
- ironic-api
- ironic-conductor
- ironic-inspector
- ironic-tftp
- ironic-http
- '&enable_ironic_True'

12
doc/source/reference/bare-metal/ironic-guide.rst
View File

@@ -26,7 +26,7 @@ define a network to be used for the Ironic cleaning network:
ironic_dnsmasq_interface: "eth1"
ironic_cleaning_network: "public1"
Finally, define at least one DHCP range for Ironic inspector:
Finally, define at least one DHCP range for Ironic inspection:
.. code-block:: yaml
@@ -76,7 +76,7 @@ The default lease time for each range can be configured globally via
``ironic_dnsmasq_dhcp_default_lease_time`` variable or per range via
``lease_time`` parameter.
In the same file, specify the PXE bootloader file for Ironic Inspector. The
In the same file, specify the PXE bootloader file for Ironic inspection. The
file is relative to the ``/var/lib/ironic/tftpboot`` directory. The default is
``pxelinux.0``, and should be correct for x86 systems. Other platforms may
require a different value, for example aarch64 on Debian requires
@@ -86,7 +86,7 @@ require a different value, for example aarch64 on Debian requires
ironic_dnsmasq_boot_file: pxelinux.0
Ironic inspector also requires a deploy kernel and ramdisk to be placed in
Ironic inspection also requires a deploy kernel and ramdisk to be placed in
``/etc/kolla/config/ironic/``. The following example uses coreos which is
commonly used in Ironic deployments, though any compatible kernel/ramdisk may
be used:
@@ -103,7 +103,7 @@ You may optionally pass extra kernel parameters to the inspection kernel using:
.. code-block:: yaml
ironic_inspector_kernel_cmdline_extras: ['ipa-lldp-timeout=90.0', 'ipa-collect-lldp=1']
ironic_kernel_cmdline_extras: ['ipa-lldp-timeout=90.0', 'ipa-collect-lldp=1']
in ``/etc/kolla/globals.yml``.
@@ -120,7 +120,7 @@ Revert to plain PXE (not recommended)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Starting with Yoga, Ironic has changed the default PXE from plain PXE to iPXE.
Kolla Ansible follows this upstream decision by choosing iPXE as the default
for Ironic Inspector but allows users to revert to the previous default of
for Ironic inspection but allows users to revert to the previous default of
plain PXE by setting the following in
``/etc/kolla/globals.yml``:
@@ -215,7 +215,7 @@ Post-deployment configuration
The :ironic-doc:`Ironic documentation <install/configure-glance-images>`
describes how to create the deploy kernel and ramdisk and register them with
Glance. In this example we're reusing the same images that were fetched for the
Inspector:
inspection:
.. code-block:: console

6
etc/kolla/globals.yml
View File

@@ -639,14 +639,14 @@ workaround_ansible_issue_8743: yes
#############################
# Ironic options
#############################
# dnsmasq bind interface for Ironic Inspector, by default is network_interface
# dnsmasq bind interface for Ironic inspection, by default is network_interface
#ironic_dnsmasq_interface: "{{ network_interface }}"
# The following value must be set when enabling ironic, the value format is a
# list of ranges - at least one must be configured, for example:
# - range: 192.168.0.10,192.168.0.100
# See Kolla Ansible docs on Ironic for details.
#ironic_dnsmasq_dhcp_ranges:
# PXE bootloader file for Ironic Inspector, relative to /var/lib/ironic/tftpboot.
# PXE bootloader file for Ironic inspection, relative to /var/lib/ironic/tftpboot.
#ironic_dnsmasq_boot_file: "pxelinux.0"
# Configure ironic upgrade option, due to currently kolla support
@@ -657,7 +657,7 @@ workaround_ansible_issue_8743: yes
#ironic_enable_rolling_upgrade: "yes"
# List of extra kernel parameters passed to the kernel used during inspection
#ironic_inspector_kernel_cmdline_extras: []
#ironic_kernel_cmdline_extras: []
# Valid options are [ '', redis, etcd ]
#ironic_coordination_backend: "{{ 'redis' if enable_redis|bool else 'etcd' if enable_etcd|bool else '' }}"

3
etc/kolla/passwords.yml
View File

@@ -96,9 +96,6 @@ heat_domain_admin_password:
ironic_database_password:
ironic_keystone_password:
ironic_inspector_database_password:
ironic_inspector_keystone_password:
magnum_database_password:
magnum_keystone_password:

12
releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
upgrade:
- |
The ``ironic-inspector`` deployment support has been dropped following
retirement of that service in ``Ironic`` project.
``ironic_inspector_kernel_cmdline_extras`` has been renamed to
``ironic_kernel_cmdline_extras`` and ``ironic_inspector_pxe_filter``
has been renamed to ``ironic_pxe_filter``.
Also the ``inspector.ipxe`` file has been renamed to ``ipa.ipxe``.
- |
``bifrost`` support for deploying legacy ironic inspector has been
dropped together with ``bifrost_enable_ironic_inspector`` variable.

2
roles/openstack-clients/defaults/main.yml
View File

@@ -8,8 +8,6 @@ openstack_clients_pip_packages:
enabled: true
- package: python-ironicclient
enabled: "{{ scenario == 'ironic' }}"
- package: python-ironic-inspector-client
enabled: "{{ scenario == 'ironic' }}"
- package: python-magnumclient
enabled: "{{ scenario == 'magnum' }}"
- package: python-masakariclient

8
tests/get_logs.sh
View File

@@ -123,7 +123,7 @@ copy_logs() {
# bifrost related logs
if [[ $(${CONTAINER_ENGINE} ps --filter name=bifrost_deploy --format "{{.Names}}") ]]; then
for service in dnsmasq ironic ironic-api ironic-conductor ironic-inspector mariadb nginx; do
for service in dnsmasq ironic ironic-api ironic-conductor mariadb nginx; do
mkdir -p ${LOG_DIR}/kolla/$service
${CONTAINER_ENGINE} exec bifrost_deploy systemctl status $service > ${LOG_DIR}/kolla/$service/systemd-status-$service.txt
done
@@ -136,12 +136,6 @@ copy_logs() {
${CONTAINER_ENGINE} exec haproxy bash -c 'echo show stat | socat stdio /var/lib/kolla/haproxy/haproxy.sock' > ${LOG_DIR}/kolla/haproxy/stats.txt
fi
# FIXME: remove
if [[ $(${CONTAINER_ENGINE} ps -a --filter name=ironic_inspector --format "{{.Names}}") ]]; then
mkdir -p ${LOG_DIR}/kolla/ironic-inspector
ls -lR ${VOLUMES_DIR}/ironic_inspector_dhcp_hosts > ${LOG_DIR}/kolla/ironic-inspector/var-lib-ls.txt
fi
for container in $(${CONTAINER_ENGINE} ps -a --format "{{.Names}}"); do
${CONTAINER_ENGINE} logs --timestamps --tail=${LOGS_TAIL_PARAMETER} ${container} &> ${LOG_DIR}/container_logs/${container}.txt
done

6
tests/templates/inventory.j2
View File

@@ -410,9 +410,15 @@ ironic
[ironic-conductor:children]
ironic
{# NOTE(mnasiadka): Remove in Gazpacho/2026.1 release #}
{% if is_upgrade | bool %}
[ironic-inspector:children]
ironic
{% endif %}
[ironic-dnsmasq:children]
ironic
[ironic-tftp:children]
ironic

5
tests/templates/ironic-overrides.j2
View File

@@ -1,5 +1,10 @@
[DEFAULT]
enabled_inspect_interfaces = no-inspect, agent
default_inspect_interface = agent
[neutron]
cleaning_network = public1
inspection_network = public1
provisioning_network = public1
# This IPMI configuration has been taken from the metal3.io ironic-image

39
tests/test-ironic.sh
View File

@@ -19,7 +19,7 @@ function test_ironic_logged {
# Smoke test ironic API.
openstack --os-cloud kolla-admin-system-internal baremetal driver list
openstack baremetal node list
openstack --os-cloud kolla-admin-system-internal baremetal node list
openstack baremetal port list
openstack baremetal node show tk0
@@ -27,14 +27,43 @@ function test_ironic_logged {
openstack baremetal node show tk0
openstack baremetal node manage tk0
openstack baremetal node show tk0
openstack baremetal node provide tk0
openstack baremetal node show tk0
openstack baremetal node validate tk0
echo "TESTING: Server creation"
openstack server create --image cirros --flavor test-rc --key-name mykey --network public1 kolla_bm_boot_test
echo "TESTING: Server inspection"
openstack baremetal node inspect tk0
local attempt
attempt=1
while [[ $(openstack baremetal node show tk0 -f value -c provision_state) != "manageable" ]]; do
echo "Server not yet manageable, check $attempt - retrying"
attempt=$((attempt+1))
if [[ $attempt -eq 16 ]]; then
echo "FAILED: Server did not finish inspection after $attempt checks"
openstack baremetal node show tk0
return 1
fi
sleep 60
done
openstack baremetal node inventory save tk0
echo ""
echo "SUCCESS: Server inspection"
echo "TESTING: Server creation"
openstack baremetal node provide tk0
attempt=1
while [[ $(openstack baremetal node show tk0 -f value -c provision_state) != "available" ]]; do
echo "Server not yet available, check $attempt - retrying"
attempt=$((attempt+1))
if [[ $attempt -eq 16 ]]; then
echo "FAILED: Server did not get to available state after $attempt checks"
openstack baremetal node show tk0
return 1
fi
sleep 60
done
# NOTE(mnasiadka): Wait for nova-compute-ironic to pick up the new node
sleep 60
openstack server create --image cirros --flavor test-rc --key-name mykey --network public1 kolla_bm_boot_test
attempt=1
while [[ $(openstack server show kolla_bm_boot_test -f value -c status) != "ACTIVE" ]]; do
echo "Server not yet active, check $attempt - retrying"
attempt=$((attempt+1))

24
zuul.d/jobs.yaml
View File

@@ -359,6 +359,30 @@
vars:
base_distro: ubuntu
- job:
name: kolla-ansible-rocky9-ironic-upgrade
parent: kolla-ansible-ironic-base
nodeset: kolla-ansible-rocky9
vars:
base_distro: rocky
is_upgrade: true
- job:
name: kolla-ansible-debian-ironic-upgrade
parent: kolla-ansible-ironic-base
nodeset: kolla-ansible-debian-bookworm-16GB
vars:
base_distro: debian
is_upgrade: true
- job:
name: kolla-ansible-ubuntu-ironic-upgrade
parent: kolla-ansible-ironic-base
nodeset: kolla-ansible-ubuntu-noble-8GB
vars:
base_distro: ubuntu
is_upgrade: true
- job:
name: kolla-ansible-rocky9-magnum
parent: kolla-ansible-magnum-base

2
zuul.d/project.yaml
View File

@@ -25,6 +25,8 @@
- kolla-ansible-ubuntu-masakari
- kolla-ansible-debian-ironic
- kolla-ansible-ubuntu-ironic
- kolla-ansible-debian-ironic-upgrade
- kolla-ansible-ubuntu-ironic-upgrade
- kolla-ansible-debian-upgrade
- kolla-ansible-ubuntu-upgrade
- kolla-ansible-ubuntu-cells