From cbe6fe7cef02b92aecd12e4e13f312055f49a424 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 5 Jun 2025 15:22:49 +0100 Subject: [PATCH] Remove ironic-inspector deployment Ironic Inspector has been retired and its functionality has been moved to Ironic. Added a change to service-ks-register to make password optional (to able to remove user without a password being passed in). Using the opportunity - increasing CI coverage to include inspection. Change-Id: If178c23249370c7c69744843737e61a6309d6a19 Signed-off-by: Michal Nasiadka --- ansible/group_vars/all.yml | 8 -- ansible/inventory/all-in-one | 2 +- ansible/inventory/multinode | 2 +- ansible/roles/bifrost/defaults/main.yml | 7 -- ansible/roles/bifrost/tasks/bootstrap.yml | 2 - ansible/roles/bifrost/tasks/stop.yml | 1 - .../roles/bifrost/templates/bifrost.yml.j2 | 6 - ansible/roles/common/tasks/config.yml | 1 - .../cron-logrotate-ironic-inspector.conf.j2 | 3 - ansible/roles/fluentd/defaults/main.yml | 2 - .../templates/conf/filter/01-rewrite.conf.j2 | 2 +- ansible/roles/ironic/defaults/main.yml | 98 ++--------------- ansible/roles/ironic/handlers/main.yml | 15 --- ansible/roles/ironic/tasks/bootstrap.yml | 6 - .../roles/ironic/tasks/bootstrap_service.yml | 23 ---- ansible/roles/ironic/tasks/clone.yml | 9 -- ansible/roles/ironic/tasks/config.yml | 99 +++-------------- ansible/roles/ironic/tasks/deploy.yml | 17 --- ansible/roles/ironic/tasks/precheck.yml | 18 +-- ansible/roles/ironic/tasks/upgrade.yml | 59 +++++++++- .../{inspector.ipxe.j2 => ipa.ipxe.j2} | 6 +- .../ironic/templates/ironic-dnsmasq.conf.j2 | 4 +- .../ironic/templates/ironic-http.json.j2 | 6 +- .../ironic/templates/ironic-inspector.conf.j2 | 103 ------------------ .../ironic/templates/ironic-inspector.json.j2 | 28 ----- .../ironic/templates/ironic-tftp.json.j2 | 2 +- ansible/roles/ironic/templates/ironic.conf.j2 | 17 --- .../ironic/templates/pxelinux.default.j2 | 2 +- ansible/roles/loadbalancer/tasks/precheck.yml | 13 --- ansible/roles/loadbalancer/tasks/upgrade.yml | 9 ++ ansible/roles/prometheus/defaults/main.yml | 2 - .../roles/service-ks-register/tasks/main.yml | 10 +- ansible/site.yml | 1 - .../reference/bare-metal/ironic-guide.rst | 12 +- etc/kolla/globals.yml | 6 +- etc/kolla/passwords.yml | 3 - ...rop-ironic-inspector-38fc91c64517ffc1.yaml | 12 ++ roles/openstack-clients/defaults/main.yml | 2 - tests/get_logs.sh | 8 +- tests/templates/inventory.j2 | 6 + tests/templates/ironic-overrides.j2 | 5 + tests/test-ironic.sh | 39 ++++++- zuul.d/jobs.yaml | 24 ++++ zuul.d/project.yaml | 2 + 44 files changed, 206 insertions(+), 496 deletions(-) delete mode 100644 ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2 rename ansible/roles/ironic/templates/{inspector.ipxe.j2 => ipa.ipxe.j2} (55%) delete mode 100644 ansible/roles/ironic/templates/ironic-inspector.conf.j2 delete mode 100644 ansible/roles/ironic/templates/ironic-inspector.json.j2 create mode 100644 releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 2fd4414234..bc40c355f7 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -481,13 +481,6 @@ ironic_public_endpoint: "{{ ironic_external_fqdn | kolla_url(public_protocol, ir ironic_api_port: "6385" ironic_api_listen_port: "{{ ironic_api_port }}" ironic_api_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else ironic_api_port }}" -ironic_inspector_internal_fqdn: "{{ kolla_internal_fqdn }}" -ironic_inspector_external_fqdn: "{{ kolla_external_fqdn }}" -ironic_inspector_internal_endpoint: "{{ ironic_inspector_internal_fqdn | kolla_url(internal_protocol, ironic_inspector_port) }}" -ironic_inspector_public_endpoint: "{{ ironic_inspector_external_fqdn | kolla_url(public_protocol, ironic_inspector_public_port) }}" -ironic_inspector_port: "5050" -ironic_inspector_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else ironic_inspector_port }}" -ironic_inspector_listen_port: "{{ ironic_inspector_port }}" ironic_http_port: "8089" ironic_prometheus_exporter_port: "9608" @@ -877,7 +870,6 @@ enable_horizon_zun: "{{ enable_zun | bool }}" enable_influxdb: "{{ enable_cloudkitty | bool and cloudkitty_storage_backend == 'influxdb' }}" enable_ironic: "no" enable_ironic_dnsmasq: "{{ enable_ironic | bool }}" -enable_ironic_inspector: "no" enable_ironic_neutron_agent: "no" enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}" enable_iscsid: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}" diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one index 1dd7914da1..1d47ec7982 100644 --- a/ansible/inventory/all-in-one +++ b/ansible/inventory/all-in-one @@ -351,7 +351,7 @@ ironic [ironic-conductor:children] ironic -[ironic-inspector:children] +[ironic-dnsmasq:children] ironic [ironic-tftp:children] diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode index 178890b1c4..9c35be0475 100644 --- a/ansible/inventory/multinode +++ b/ansible/inventory/multinode @@ -359,7 +359,7 @@ ironic [ironic-conductor:children] ironic -[ironic-inspector:children] +[ironic-dnsmasq:children] ironic [ironic-tftp:children] diff --git a/ansible/roles/bifrost/defaults/main.yml b/ansible/roles/bifrost/defaults/main.yml index 814bcc9dea..b597e784ac 100644 --- a/ansible/roles/bifrost/defaults/main.yml +++ b/ansible/roles/bifrost/defaults/main.yml @@ -11,10 +11,3 @@ bifrost_deploy_image_full: "{{ bifrost_deploy_image }}:{{ bifrost_deploy_tag }}" bifrost_deploy_container_proxy: "{{ container_proxy }}" bifrost_deploy_verbosity: "-vvvv" - -# Whether to enable the legacy ironic-inspector service -# NOTE(wszumski): Bifrost plans to remove this option once the native in-band -# inspection reaches feature parity. Please see: -# https://bugs.launchpad.net/kolla/+bug/2054685 which contains links for -# tracking the progress. -bifrost_enable_ironic_inspector: true diff --git a/ansible/roles/bifrost/tasks/bootstrap.yml b/ansible/roles/bifrost/tasks/bootstrap.yml index c6533d87d2..622d5f9e78 100644 --- a/ansible/roles/bifrost/tasks/bootstrap.yml +++ b/ansible/roles/bifrost/tasks/bootstrap.yml @@ -8,8 +8,6 @@ {{ kolla_container_engine }} exec bifrost_deploy bash -c 'mkdir -p /var/log/kolla/ironic && chown ironic:ironic /var/log/kolla/ironic && - mkdir -p /var/log/kolla/ironic-inspector && - chown ironic:ironic /var/log/kolla/ironic-inspector && mkdir -p /var/log/kolla/nginx && chown {{ nginx_user }}:{{ nginx_user }} /var/log/kolla/nginx' diff --git a/ansible/roles/bifrost/tasks/stop.yml b/ansible/roles/bifrost/tasks/stop.yml index 9d9a3a1776..ac71b934b2 100644 --- a/ansible/roles/bifrost/tasks/stop.yml +++ b/ansible/roles/bifrost/tasks/stop.yml @@ -17,7 +17,6 @@ command: "{{ kolla_container_engine }} exec bifrost_deploy systemctl stop {{ item }}.service" with_items: - ironic - - ironic-inspector - mariadb - nginx diff --git a/ansible/roles/bifrost/templates/bifrost.yml.j2 b/ansible/roles/bifrost/templates/bifrost.yml.j2 index e7014a64f5..49e62455e3 100644 --- a/ansible/roles/bifrost/templates/bifrost.yml.j2 +++ b/ansible/roles/bifrost/templates/bifrost.yml.j2 @@ -2,9 +2,6 @@ # Ironic log directory. ironic_log_dir: "/var/log/kolla/ironic" -# Ironic inspector log directory. -inspector_log_dir: "/var/log/kolla/ironic-inspector" - # Ironic Python Agent deploy logs directory ironic_agent_deploy_logs_local_path: "/var/log/kolla/ironic/deploy" @@ -34,8 +31,5 @@ generate_tls: true # the default /etc/bifrost is not. tls_root: "/etc/bifrost-certs" -# Whether to enable the legacy ironic-inspector service. -enable_inspector: "{{ bifrost_enable_ironic_inspector }}" - # Disable firewalld use_firewalld: false diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml index e6e88d6213..2562c31e5c 100644 --- a/ansible/roles/common/tasks/config.yml +++ b/ansible/roles/common/tasks/config.yml @@ -80,7 +80,6 @@ - { name: "horizon", enabled: "{{ enable_horizon | bool }}" } - { name: "influxdb", enabled: "{{ enable_influxdb | bool }}" } - { name: "ironic", enabled: "{{ enable_ironic | bool }}" } - - { name: "ironic-inspector", enabled: "{{ enable_ironic | bool }}" } - { name: "keystone", enabled: "{{ enable_keystone | bool }}" } - { name: "kuryr", enabled: "{{ enable_kuryr | bool }}" } - { name: "magnum", enabled: "{{ enable_magnum | bool }}" } diff --git a/ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2 b/ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2 deleted file mode 100644 index a3fe9a18a5..0000000000 --- a/ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -"/var/log/kolla/ironic-inspector/*.log" -{ -} diff --git a/ansible/roles/fluentd/defaults/main.yml b/ansible/roles/fluentd/defaults/main.yml index fd18d5fe44..f749a5bea5 100644 --- a/ansible/roles/fluentd/defaults/main.yml +++ b/ansible/roles/fluentd/defaults/main.yml @@ -109,8 +109,6 @@ fluentd_input_openstack_services: enabled: "{{ enable_horizon | bool }}" - name: ironic enabled: "{{ enable_ironic | bool }}" - - name: ironic-inspector - enabled: "{{ enable_ironic | bool }}" - name: keystone enabled: "{{ enable_keystone | bool }}" - name: kuryr diff --git a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 index ee761a34f0..c8e35c8598 100644 --- a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 +++ b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2 @@ -118,7 +118,7 @@ key programname - pattern ^(ironic-api|ironic-conductor|ironic-inspector)$ + pattern ^(ironic-api|ironic-conductor)$ tag openstack_python diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index 2c30e954e2..fb485375a2 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -38,33 +38,6 @@ ironic_services: volumes: "{{ ironic_conductor_default_volumes + ironic_conductor_extra_volumes + lookup('vars', 'run_default_volumes_' + kolla_container_engine) }}" dimensions: "{{ ironic_conductor_dimensions }}" healthcheck: "{{ ironic_conductor_healthcheck }}" - ironic-inspector: - container_name: ironic_inspector - group: ironic-inspector - enabled: "{{ enable_ironic_inspector }}" - image: "{{ ironic_inspector_image_full }}" - privileged: True - volumes: "{{ ironic_inspector_default_volumes + ironic_inspector_extra_volumes }}" - dimensions: "{{ ironic_inspector_dimensions }}" - healthcheck: "{{ ironic_inspector_healthcheck }}" - haproxy: - ironic_inspector: - enabled: "{{ enable_ironic }}" - mode: "http" - external: false - port: "{{ ironic_inspector_port }}" - listen_port: "{{ ironic_inspector_listen_port }}" - backend_http_extra: - - "option httpchk" - ironic_inspector_external: - enabled: "{{ enable_ironic }}" - mode: "http" - external: true - external_fqdn: "{{ ironic_inspector_external_fqdn }}" - port: "{{ ironic_inspector_public_port }}" - listen_port: "{{ ironic_inspector_listen_port }}" - backend_http_extra: - - "option httpchk" ironic-tftp: container_name: ironic_tftp group: ironic-tftp @@ -87,7 +60,7 @@ ironic_services: healthcheck: "{{ ironic_http_healthcheck }}" ironic-dnsmasq: container_name: ironic_dnsmasq - group: ironic-inspector + group: ironic-dnsmasq enabled: "{{ enable_ironic_dnsmasq }}" cap_add: - NET_ADMIN @@ -117,34 +90,21 @@ ironic_database_name: "ironic" ironic_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}ironic{% endif %}" ironic_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}" -ironic_inspector_database_name: "ironic_inspector" -ironic_inspector_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}ironic_inspector{% endif %}" -ironic_inspector_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}" - #################### # Database sharding #################### ironic_database_shard_root_user: "{% if enable_proxysql | bool %}root_shard_{{ ironic_database_shard_id }}{% else %}{{ database_user }}{% endif %}" ironic_database_shard_id: "{{ mariadb_default_database_shard_id | int }}" -ironic_inspector_database_shard_id: "{{ ironic_database_shard_id | int }}" ironic_database_shard: users: - user: "{{ ironic_database_user }}" password: "{{ ironic_database_password }}" shard_id: "{{ ironic_database_shard_id }}" - - user: "{{ ironic_inspector_database_user }}" - password: "{{ ironic_inspector_database_password }}" - shard_id: "{{ ironic_inspector_database_shard_id }}" rules: - schema: "{{ ironic_database_name }}" shard_id: "{{ ironic_database_shard_id }}" - user: "{{ ironic_database_user }}" shard_id: "{{ ironic_database_shard_id }}" - - schema: "{{ ironic_inspector_database_name }}" - shard_id: "{{ ironic_inspector_database_shard_id }}" - - user: "{{ ironic_inspector_database_user }}" - shard_id: "{{ ironic_inspector_database_shard_id }}" - #################### # Docker @@ -163,10 +123,6 @@ ironic_pxe_image: "{{ docker_image_url }}ironic-pxe" ironic_pxe_tag: "{{ ironic_tag }}" ironic_pxe_image_full: "{{ ironic_pxe_image }}:{{ ironic_pxe_tag }}" -ironic_inspector_image: "{{ docker_image_url }}ironic-inspector" -ironic_inspector_tag: "{{ ironic_tag }}" -ironic_inspector_image_full: "{{ ironic_inspector_image }}:{{ ironic_inspector_tag }}" - ironic_dnsmasq_image: "{{ docker_image_url }}dnsmasq" ironic_dnsmasq_tag: "{{ ironic_tag }}" ironic_dnsmasq_image_full: "{{ ironic_dnsmasq_image }}:{{ ironic_dnsmasq_tag }}" @@ -179,7 +135,6 @@ ironic_api_dimensions: "{{ default_container_dimensions }}" ironic_conductor_dimensions: "{{ default_container_dimensions }}" ironic_tftp_dimensions: "{{ default_container_dimensions }}" ironic_http_dimensions: "{{ default_container_dimensions }}" -ironic_inspector_dimensions: "{{ default_container_dimensions }}" ironic_dnsmasq_dimensions: "{{ default_container_dimensions }}" ironic_prometheus_exporter_dimensions: "{{ default_container_dimensions }}" @@ -209,19 +164,6 @@ ironic_conductor_healthcheck: test: "{% if ironic_conductor_enable_healthchecks | bool %}{{ ironic_conductor_healthcheck_test }}{% else %}NONE{% endif %}" timeout: "{{ ironic_conductor_healthcheck_timeout }}" -ironic_inspector_enable_healthchecks: "{{ enable_container_healthchecks }}" -ironic_inspector_healthcheck_interval: "{{ default_container_healthcheck_interval }}" -ironic_inspector_healthcheck_retries: "{{ default_container_healthcheck_retries }}" -ironic_inspector_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}" -ironic_inspector_healthcheck_test: ["CMD-SHELL", "healthcheck_port ironic-inspector {{ om_rpc_port }}"] -ironic_inspector_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}" -ironic_inspector_healthcheck: - interval: "{{ ironic_inspector_healthcheck_interval }}" - retries: "{{ ironic_inspector_healthcheck_retries }}" - start_period: "{{ ironic_inspector_healthcheck_start_period }}" - test: "{% if ironic_inspector_enable_healthchecks | bool %}{{ ironic_inspector_healthcheck_test }}{% else %}NONE{% endif %}" - timeout: "{{ ironic_inspector_healthcheck_timeout }}" - ironic_http_enable_healthchecks: "{{ enable_container_healthchecks }}" ironic_http_healthcheck_interval: "{{ default_container_healthcheck_interval }}" ironic_http_healthcheck_retries: "{{ default_container_healthcheck_retries }}" @@ -266,19 +208,12 @@ ironic_http_default_volumes: - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - "ironic:/var/lib/ironic" - "kolla_logs:/var/log/kolla" -ironic_inspector_default_volumes: - - "{{ node_config_directory }}/ironic-inspector/:{{ container_config_directory }}/:ro" - - "/etc/localtime:/etc/localtime:ro" - - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - - "kolla_logs:/var/log/kolla" - - "ironic_inspector_dhcp_hosts:/var/lib/ironic-inspector/dhcp-hostsdir" - - "{{ kolla_dev_repos_directory ~ '/ironic-inspector:/dev-mode/ironic-inspector' if ironic_inspector_dev_mode | bool else '' }}" ironic_dnsmasq_default_volumes: - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - "kolla_logs:/var/log/kolla" - - "ironic_inspector_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro" + - "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro" ironic_prometheus_exporter_default_volumes: - "{{ node_config_directory }}/ironic-prometheus-exporter/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" @@ -291,7 +226,6 @@ ironic_api_extra_volumes: "{{ ironic_extra_volumes }}" ironic_conductor_extra_volumes: "{{ ironic_extra_volumes }}" ironic_tftp_extra_volumes: "{{ ironic_extra_volumes }}" ironic_http_extra_volumes: "{{ ironic_extra_volumes }}" -ironic_inspector_extra_volumes: "{{ ironic_extra_volumes }}" ironic_dnsmasq_extra_volumes: "{{ ironic_extra_volumes }}" ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}" @@ -299,13 +233,10 @@ ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}" # OpenStack #################### ironic_inspector_keystone_user: "ironic-inspector" - ironic_logging_debug: "{{ openstack_logging_debug }}" openstack_ironic_auth: "{{ openstack_auth }}" -openstack_ironic_inspector_auth: "{{ openstack_auth }}" - ironic_api_workers: "{{ openstack_service_workers }}" ######### @@ -323,8 +254,8 @@ ironic_http_url: "http://{{ ironic_http_interface_address | put_address_in_conte ironic_tftp_listen_address: "{{ ironic_tftp_interface_address }}" ironic_enable_rolling_upgrade: "yes" ironic_upgrade_skip_wait_check: false -ironic_inspector_kernel_cmdline_extras: [] -ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}noop{% endif %}" +ironic_kernel_cmdline_extras: [] +ironic_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}noop{% endif %}" ironic_prometheus_exporter_data_dir: "/var/lib/ironic-prometheus-exporter/data" ironic_prometheus_exporter_sensor_data_interval: 30 ironic_prometheus_exporter_sensor_data_undeployed_nodes: "true" @@ -333,13 +264,10 @@ ironic_prometheus_exporter_sensor_data_undeployed_nodes: "true" #################### ## Kolla ##################### -ironic_inspector_git_repository: "{{ kolla_dev_repos_git }}/ironic-inspector" ironic_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}" ironic_dev_repos_pull: "{{ kolla_dev_repos_pull }}" ironic_dev_mode: "{{ kolla_dev_mode }}" -ironic_inspector_dev_mode: "{{ ironic_dev_mode }}" ironic_source_version: "{{ kolla_source_version }}" -ironic_inspector_source_version: "{{ ironic_source_version }}" ironic_agent_files_directory: "{{ node_custom_config }}" @@ -363,34 +291,28 @@ ironic_ks_services: endpoints: - {'interface': 'internal', 'url': '{{ ironic_internal_endpoint }}'} - {'interface': 'public', 'url': '{{ ironic_public_endpoint }}'} +# TODO(mnasiadka): Remove in Gazpacho/2026.1 - name: "ironic-inspector" type: "baremetal-introspection" description: "Ironic Inspector baremetal introspection service" - endpoints: - - {'interface': 'internal', 'url': '{{ ironic_inspector_internal_endpoint }}'} - - {'interface': 'public', 'url': '{{ ironic_inspector_public_endpoint }}'} + state: absent + endpoints: [] ironic_ks_users: - project: "service" user: "{{ ironic_keystone_user }}" password: "{{ ironic_keystone_password }}" role: "admin" +# TODO(mnasiadka): Remove in Gazpacho/2026.1 - project: "service" - user: "{{ ironic_inspector_keystone_user }}" - password: "{{ ironic_inspector_keystone_password }}" + user: "{{ ironic_inspector_keystone_user | default('ironic-inspector') }}" role: "admin" + state: absent ironic_ks_user_roles: - project: "service" user: "{{ ironic_keystone_user }}" role: "service" - - project: "service" - user: "{{ ironic_inspector_keystone_user }}" - role: "service" - state: "absent" - - system: "all" - user: "{{ ironic_inspector_keystone_user }}" - role: "service" #################### # TLS diff --git a/ansible/roles/ironic/handlers/main.yml b/ansible/roles/ironic/handlers/main.yml index 8fd1a5394d..d7989a5736 100644 --- a/ansible/roles/ironic/handlers/main.yml +++ b/ansible/roles/ironic/handlers/main.yml @@ -28,21 +28,6 @@ dimensions: "{{ service.dimensions }}" healthcheck: "{{ service.healthcheck | default(omit) }}" -- name: Restart ironic-inspector container - vars: - service_name: "ironic-inspector" - service: "{{ ironic_services[service_name] }}" - become: true - kolla_container: - action: "recreate_or_restart_container" - common_options: "{{ docker_common_options }}" - name: "{{ service.container_name }}" - image: "{{ service.image }}" - privileged: "{{ service.privileged | default(False) }}" - volumes: "{{ service.volumes | reject('equalto', '') | list }}" - dimensions: "{{ service.dimensions }}" - healthcheck: "{{ service.healthcheck | default(omit) }}" - - name: Restart ironic-tftp container vars: service_name: "ironic-tftp" diff --git a/ansible/roles/ironic/tasks/bootstrap.yml b/ansible/roles/ironic/tasks/bootstrap.yml index 2843f97c72..b6dc71a078 100644 --- a/ansible/roles/ironic/tasks/bootstrap.yml +++ b/ansible/roles/ironic/tasks/bootstrap.yml @@ -16,8 +16,6 @@ with_items: - database_name: "{{ ironic_database_name }}" group: "ironic-api" - - database_name: "{{ ironic_inspector_database_name }}" - group: "ironic-inspector" when: - not use_preconfigured_databases | bool - inventory_hostname in groups[item.group] @@ -45,10 +43,6 @@ database_user: "{{ ironic_database_user }}" database_password: "{{ ironic_database_password }}" group: "ironic-api" - - database_name: "{{ ironic_inspector_database_name }}" - database_user: "{{ ironic_inspector_database_user }}" - database_password: "{{ ironic_inspector_database_password }}" - group: "ironic-inspector" loop_control: label: "{{ item.database_name }}" when: diff --git a/ansible/roles/ironic/tasks/bootstrap_service.yml b/ansible/roles/ironic/tasks/bootstrap_service.yml index b1ade0333d..2374bae120 100644 --- a/ansible/roles/ironic/tasks/bootstrap_service.yml +++ b/ansible/roles/ironic/tasks/bootstrap_service.yml @@ -24,29 +24,6 @@ delegate_to: "{{ groups[ironic_api.group][0] }}" when: inventory_hostname in groups[ironic_api.group] -- name: Running Ironic Inspector bootstrap container - vars: - ironic_inspector: "{{ ironic_services['ironic-inspector'] }}" - become: true - kolla_container: - action: "start_container" - common_options: "{{ docker_common_options }}" - detach: False - environment: - KOLLA_BOOTSTRAP: - KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" - image: "{{ ironic_inspector.image }}" - labels: - BOOTSTRAP: - name: "bootstrap_ironic_inspector" - restart_policy: oneshot - volumes: "{{ ironic_inspector.volumes | reject('equalto', '') | list }}" - run_once: True - delegate_to: "{{ groups[ironic_inspector.group][0] }}" - when: - - inventory_hostname in groups[ironic_inspector.group] - - enable_ironic_inspector | bool - - name: Running ironic-tftp bootstrap container vars: service: "{{ ironic_services['ironic-tftp'] }}" diff --git a/ansible/roles/ironic/tasks/clone.yml b/ansible/roles/ironic/tasks/clone.yml index 51ca6a221b..3b9cd387fb 100644 --- a/ansible/roles/ironic/tasks/clone.yml +++ b/ansible/roles/ironic/tasks/clone.yml @@ -6,12 +6,3 @@ dest: "{{ kolla_dev_repos_directory }}/{{ project_name }}" update: "{{ ironic_dev_repos_pull }}" version: "{{ ironic_source_version }}" - -- name: Cloning ironic-inspector source repository for development - become: true - git: - repo: "{{ ironic_inspector_git_repository }}" - dest: "{{ kolla_dev_repos_directory }}/ironic-inspector" - update: "{{ ironic_dev_repos_pull }}" - version: "{{ ironic_inspector_source_version }}" - when: ironic_inspector_dev_mode | bool diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index bcd08a510f..98a3e66e2e 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -21,18 +21,6 @@ - "{{ node_custom_config }}/ironic/" skip: true -- name: Check if Ironic Inspector policies shall be overwritten - stat: - path: "{{ item }}" - delegate_to: localhost - run_once: True - register: ironic_inspector_policy - with_first_found: - - files: "{{ supported_policy_format_list }}" - paths: - - "{{ node_custom_config }}/ironic/inspector/" - skip: true - - name: Set ironic policy file set_fact: ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}" @@ -40,38 +28,6 @@ when: - ironic_policy.results -- name: Set ironic-inspector policy file - set_fact: - ironic_inspector_policy_file: "{{ ironic_inspector_policy.results.0.stat.path | basename }}" - ironic_inspector_policy_file_path: "{{ ironic_inspector_policy.results.0.stat.path }}" - when: - - ironic_inspector_policy.results - -- name: Check if Ironic Inspector known_devices.yaml shall be overwritten - stat: - path: "{{ node_custom_config }}/ironic-inspector/known_devices.yaml" - delegate_to: localhost - run_once: True - register: ironic_inspector_known_devices - -- name: Set known_devices file path - set_fact: - ironic_inspector_known_devices_file_path: "{{ ironic_inspector_known_devices.stat.path }}" - when: - - ironic_inspector_known_devices.stat.exists - -- name: Copying over known_devices.yaml - vars: - service: "{{ ironic_services['ironic-inspector'] }}" - template: - src: "{{ ironic_inspector_known_devices_file_path }}" - dest: "{{ node_config_directory }}/ironic-inspector/known_devices.yaml" - mode: "0660" - become: true - when: - - ironic_inspector_known_devices_file_path is defined - - service | service_enabled_and_mapped_to_host - - include_tasks: copy-certs.yml when: - ironic_copy_certs | bool @@ -101,21 +57,6 @@ - item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter" ] with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over inspector.conf - vars: - service: "{{ ironic_services['ironic-inspector'] }}" - merge_configs: - sources: - - "{{ role_path }}/templates/ironic-inspector.conf.j2" - - "{{ node_custom_config }}/global.conf" - - "{{ node_custom_config }}/ironic-inspector.conf" - - "{{ node_custom_config }}/ironic-inspector/inspector.conf" - - "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf" - dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf" - mode: "0660" - become: true - when: service | service_enabled_and_mapped_to_host - - name: Copying over dnsmasq.conf vars: service: "{{ ironic_services['ironic-dnsmasq'] }}" @@ -143,8 +84,8 @@ - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default" - "pxelinux.default.j2" when: - # Only required when Ironic inspector is in use. - - groups['ironic-inspector'] | length > 0 + # Only required when Ironic dnsmasq is in use. + - groups['ironic-dnsmasq'] | length > 0 - service | service_enabled_and_mapped_to_host - not ironic_dnsmasq_serve_ipxe | bool @@ -160,8 +101,8 @@ - "ironic-agent.kernel" - "ironic-agent.initramfs" when: - # Only required when Ironic inspector is in use. - - groups['ironic-inspector'] | length > 0 + # Only required when Ironic dnsmasq is in use. + - groups['ironic-dnsmasq'] | length > 0 - service | service_enabled_and_mapped_to_host - not ironic_dnsmasq_serve_ipxe | bool @@ -177,25 +118,25 @@ - "ironic-agent.kernel" - "ironic-agent.initramfs" when: - # Only required when Ironic inspector is in use. - - groups['ironic-inspector'] | length > 0 + # Only required when Ironic dnsmasq is in use. + - groups['ironic-dnsmasq'] | length > 0 - service | service_enabled_and_mapped_to_host -- name: Copying inspector.ipxe +- name: Copying ipa.ipxe vars: service: "{{ ironic_services['ironic-http'] }}" template: src: "{{ item }}" - dest: "{{ node_config_directory }}/ironic-http/inspector.ipxe" + dest: "{{ node_config_directory }}/ironic-http/ipa.ipxe" mode: "0660" become: true with_first_found: - - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/inspector.ipxe" - - "{{ node_custom_config }}/ironic/inspector.ipxe" - - "inspector.ipxe.j2" + - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ipa.ipxe" + - "{{ node_custom_config }}/ironic/ipa.ipxe" + - "ipa.ipxe.j2" when: - # Only required when Ironic inspector is in use. - - groups['ironic-inspector'] | length > 0 + # Only required when Ironic dnsmasq is in use. + - groups['ironic-dnsmasq'] | length > 0 - service | service_enabled_and_mapped_to_host - name: Copying ironic-http-httpd.conf @@ -240,20 +181,6 @@ - item.key in services_require_policy_json with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}" -- name: Copying over existing Ironic Inspector policy file - vars: - services_require_inspector_policy_json: - - ironic-inspector - template: - src: "{{ ironic_inspector_policy_file_path }}" - dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_inspector_policy_file }}" - mode: "0660" - become: true - when: - - ironic_inspector_policy_file is defined - - item.key in services_require_inspector_policy_json - with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}" - - name: Copying over ironic-api-wsgi.conf vars: service: "{{ ironic_services['ironic-api'] }}" diff --git a/ansible/roles/ironic/tasks/deploy.yml b/ansible/roles/ironic/tasks/deploy.yml index f135ada713..9519d8e70f 100644 --- a/ansible/roles/ironic/tasks/deploy.yml +++ b/ansible/roles/ironic/tasks/deploy.yml @@ -15,20 +15,3 @@ - name: Flush handlers meta: flush_handlers - -# NOTE(mgoddard): If inspector was previously configured to use the iptables -# PXE filter, it may leave rules in place that block inspection. Clean them up. -# The iptables Ansible module is not idempotent - it fails if the chain does -# not exist, so use a command instead. -- name: Flush and delete ironic-inspector iptables chain - become: true - command: iptables --{{ item }} ironic-inspector - register: ironic_inspector_chain - with_items: - - flush - - delete-chain - when: ironic_inspector_pxe_filter != 'iptables' - changed_when: ironic_inspector_chain.rc == 0 - failed_when: - - ironic_inspector_chain.rc != 0 - - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr" diff --git a/ansible/roles/ironic/tasks/precheck.yml b/ansible/roles/ironic/tasks/precheck.yml index 99394cf6ab..cb5a21839f 100644 --- a/ansible/roles/ironic/tasks/precheck.yml +++ b/ansible/roles/ironic/tasks/precheck.yml @@ -12,7 +12,6 @@ container_engine: "{{ kolla_container_engine }}" name: - ironic_api - - ironic_inspector - ironic_http - ironic_prometheus_exporter check_mode: false @@ -29,17 +28,6 @@ - container_facts.containers['ironic_api'] is not defined - inventory_hostname in groups['ironic-api'] -- name: Checking free port for Ironic Inspector - wait_for: - host: "{{ api_interface_address }}" - port: "{{ ironic_inspector_listen_port }}" - connect_timeout: 1 - timeout: 1 - state: stopped - when: - - container_facts.containers['ironic_inspector'] is not defined - - inventory_hostname in groups['ironic-inspector'] - - name: Checking free port for Ironic HTTP server wait_for: host: "{{ api_interface_address }}" @@ -63,7 +51,7 @@ - container_facts.containers['ironic_prometheus_exporter'] is not defined - inventory_hostname in groups['ironic-conductor'] -- name: Checking ironic-agent files exist for Ironic Inspector +- name: Checking ironic-agent files exist for Ironic stat: path: "{{ ironic_agent_files_directory }}/ironic/{{ item }}" delegate_to: localhost @@ -71,8 +59,8 @@ register: result failed_when: not result.stat.exists when: - # Only required when Ironic inspector is in use. - - groups['ironic-inspector'] | length > 0 + # Only required when Ironic dnsmasq is in use. + - groups['ironic-dnsmasq'] | length > 0 - (not ironic_dnsmasq_serve_ipxe | bool and inventory_hostname in groups['ironic-tftp']) or (ironic_dnsmasq_serve_ipxe | bool and inventory_hostname in groups['ironic-http']) with_items: diff --git a/ansible/roles/ironic/tasks/upgrade.yml b/ansible/roles/ironic/tasks/upgrade.yml index 0e020b9df0..4e5ef576e1 100644 --- a/ansible/roles/ironic/tasks/upgrade.yml +++ b/ansible/roles/ironic/tasks/upgrade.yml @@ -1,6 +1,55 @@ --- +# TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release +- name: Remove ironic-inspector + become: true + kolla_container: + action: "stop_and_remove_container" + common_options: "{{ docker_common_options }}" + name: "ironic_inspector" + ignore_missing: true + +# TODO(mnasiadka): Remove this block in Gazpacho/2026.1 release +- name: Handle volume migration for ironic_dnsmasq + when: enable_ironic_dnsmasq | bool + block: + - name: Stop ironic_dnsmasq container + become: true + kolla_container: + action: "stop_container" + common_options: "{{ docker_common_options }}" + name: "ironic_dnsmasq" + ignore_missing: true + + - name: Create ironic_dhcp_hosts volume + become: true + command: "{{ kolla_container_engine }} volume create ironic_dhcp_hosts" + + - name: Migrate data from ironic_inspector_dhcp_hosts volume + become: true + vars: + volumes_dir: >- + {{ '/var/lib/docker/volumes' if kolla_container_engine == 'docker' + else '/var/lib/containers/storage/volumes' }} + command: >- + mv {{ volumes_dir }}/ironic_inspector_dhcp_hosts/_data/ + {{ volumes_dir }}/ironic_dhcp_hosts/_data + +- name: Get Ironic API container facts + become: true + vars: + container_name: "{{ ironic_services['ironic-api'].container_name }}" + kolla_container_facts: + action: get_containers + container_engine: "{{ kolla_container_engine }}" + name: + - "{{ container_name }}" + check_mode: false + register: container_facts + - name: Wait for Ironic nodes not to wait become: true + vars: + container_name: "{{ ironic_services['ironic-api'].container_name }}" command: > {{ kolla_container_engine }} exec kolla_toolbox openstack --os-interface {{ openstack_interface }} @@ -25,10 +74,18 @@ select('search', '\\bwait\\b') | length) == 0 run_once: true - when: not ironic_upgrade_skip_wait_check | bool + when: + - not ironic_upgrade_skip_wait_check | bool + - container_facts.containers[container_name] is defined - include_tasks: rolling_upgrade.yml when: ironic_enable_rolling_upgrade | bool - include_tasks: legacy_upgrade.yml when: not ironic_enable_rolling_upgrade | bool + +# TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release +- name: Remove ironic_inspector_dhcp_hosts volume + become: true + command: "{{ kolla_container_engine }} volume rm ironic_inspector_dhcp_hosts" + when: enable_ironic_dnsmasq | bool diff --git a/ansible/roles/ironic/templates/inspector.ipxe.j2 b/ansible/roles/ironic/templates/ipa.ipxe.j2 similarity index 55% rename from ansible/roles/ironic/templates/inspector.ipxe.j2 rename to ansible/roles/ironic/templates/ipa.ipxe.j2 index 3bf2c8825e..676f885c45 100644 --- a/ansible/roles/ironic/templates/inspector.ipxe.j2 +++ b/ansible/roles/ironic/templates/ipa.ipxe.j2 @@ -7,12 +7,12 @@ dhcp || goto retry_dhcp {% if not enable_neutron | bool %} # load the MAC-specific file or fail if it's not found :boot_system -chain pxelinux.cfg/${mac:hexhyp} || goto inspector_ipa +chain pxelinux.cfg/${mac:hexhyp} || goto ipa {% endif %} -:inspector_ipa +:ipa :retry_boot imgfree -kernel --timeout 30000 {{ ironic_http_url }}/ironic-agent.kernel ipa-inspection-callback-url={{ ironic_inspector_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-agent.initramfs {{ ironic_inspector_kernel_cmdline_extras | join(' ') }} || goto retry_boot +kernel --timeout 30000 {{ ironic_http_url }}/ironic-agent.kernel ipa-inspection-callback-url={{ ironic_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-agent.initramfs {{ ironic_kernel_cmdline_extras | join(' ') }} || goto retry_boot initrd --timeout 30000 {{ ironic_http_url }}/ironic-agent.initramfs || goto retry_boot boot diff --git a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 index f438fd906b..87c9cc196e 100644 --- a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 +++ b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 @@ -25,7 +25,7 @@ dhcp-match=ipxe,175 dhcp-match=set:efi,option:client-arch,7 dhcp-match=set:efi,option:client-arch,9 # Client is already running iPXE; move to next stage of chainloading -dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_http_url }}/inspector.ipxe +dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_http_url }}/ipa.ipxe # Client is PXE booting over EFI without iPXE ROM, # send EFI version of iPXE chainloader dhcp-option=tag:efi,tag:!ipxe,option:bootfile-name,{{ ironic_dnsmasq_uefi_ipxe_boot_file }} @@ -39,6 +39,6 @@ log-facility=/var/log/kolla/ironic/dnsmasq.log log-dhcp {% endif %} -{% if ironic_inspector_pxe_filter == 'dnsmasq' %} +{% if ironic_pxe_filter == 'dnsmasq' %} dhcp-hostsdir=/etc/dnsmasq/dhcp-hostsdir {% endif %} diff --git a/ansible/roles/ironic/templates/ironic-http.json.j2 b/ansible/roles/ironic/templates/ironic-http.json.j2 index 8fd42396f0..d726cd2012 100644 --- a/ansible/roles/ironic/templates/ironic-http.json.j2 +++ b/ansible/roles/ironic/templates/ironic-http.json.j2 @@ -3,7 +3,7 @@ { "command": "{{ apache_cmd }} -DFOREGROUND", "config_files": [ -{% if groups['ironic-inspector'] | length > 0 %} +{% if groups['ironic-dnsmasq'] | length > 0 %} { "source": "{{ container_config_directory }}/ironic-agent.kernel", "dest": "/var/lib/ironic/httpboot/ironic-agent.kernel", @@ -17,8 +17,8 @@ "perm": "0644" }, { - "source": "{{ container_config_directory }}/inspector.ipxe", - "dest": "/var/lib/ironic/httpboot/inspector.ipxe", + "source": "{{ container_config_directory }}/ipa.ipxe", + "dest": "/var/lib/ironic/httpboot/ipa.ipxe", "owner": "root", "perm": "0644" }, diff --git a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 b/ansible/roles/ironic/templates/ironic-inspector.conf.j2 deleted file mode 100644 index 56a63e2b36..0000000000 --- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 +++ /dev/null @@ -1,103 +0,0 @@ -[DEFAULT] -debug = {{ ironic_logging_debug }} -log_dir = /var/log/kolla/ironic-inspector - -{% if not ironic_enable_keystone_integration | bool %} -auth_strategy = noauth -{% endif %} -listen_address = {{ api_interface_address }} -listen_port = {{ ironic_inspector_listen_port }} -transport_url = {{ rpc_transport_url }} - -[oslo_messaging_notifications] -transport_url = {{ notify_transport_url }} - -[oslo_messaging_rabbit] -use_queue_manager = true -heartbeat_in_pthread = false -{% if om_enable_rabbitmq_tls | bool %} -ssl = true -ssl_ca_file = {{ om_rabbitmq_cacert }} -{% endif %} -rabbit_quorum_queue = true -{% if om_enable_rabbitmq_stream_fanout | bool %} -rabbit_stream_fanout = true -rabbit_qos_prefetch_count = {{ om_rabbitmq_qos_prefetch_count }} -{% endif %} -rabbit_transient_quorum_queue = true - -[ironic] -{% if ironic_enable_keystone_integration | bool %} -auth_url = {{ keystone_internal_url }} -auth_type = password -user_domain_id = {{ default_user_domain_id }} -username = {{ ironic_inspector_keystone_user }} -password = {{ ironic_inspector_keystone_password }} -valid_interfaces = internal -cafile = {{ openstack_cacert }} -region_name = {{ openstack_region_name }} -system_scope = all -{% else %} -auth_type = none -endpoint_override = {{ ironic_internal_endpoint }} -{% endif %} - -{% if ironic_enable_keystone_integration | bool %} -[keystone_authtoken] -service_type = baremetal-introspection -www_authenticate_uri = {{ keystone_public_url }} -auth_url = {{ keystone_internal_url }} -auth_type = password -project_domain_id = {{ default_project_domain_id }} -user_domain_id = {{ default_user_domain_id }} -project_name = service -username = {{ ironic_inspector_keystone_user }} -password = {{ ironic_inspector_keystone_password }} -cafile = {{ openstack_cacert }} -region_name = {{ openstack_region_name }} - -memcache_security_strategy = {{ memcache_security_strategy }} -memcache_secret_key = {{ memcache_secret_key }} -memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} -{% endif %} - -{% if ironic_policy_file is defined %} -[oslo_policy] -policy_file = {{ ironic_policy_file }} -{% endif %} - -[database] -connection = mysql+pymysql://{{ ironic_inspector_database_user }}:{{ ironic_inspector_database_password }}@{{ ironic_inspector_database_address }}/{{ ironic_inspector_database_name }}{{ '?ssl_ca=' ~ openstack_cacert if ironic_database_enable_tls_internal | bool }} -connection_recycle_time = {{ database_connection_recycle_time }} -max_pool_size = {{ database_max_pool_size }} - -[processing] -ramdisk_logs_dir = /var/log/kolla/ironic-inspector - -[pxe_filter] -driver = {{ ironic_inspector_pxe_filter }} - -{% if ironic_inspector_pxe_filter == 'iptables' %} -[iptables] -dnsmasq_interface = {{ ironic_dnsmasq_interface }} -{% endif %} - -[coordination] -{% if ironic_coordination_backend == 'redis' %} -backend_url = {{ redis_connection_string }} -{% elif ironic_coordination_backend == 'etcd' %} -# NOTE(yoctozepto): we must use etcd3gw (aka etcd3+http) due to issues with alternative (etcd3) and eventlet (as used by cinder) -# see https://bugs.launchpad.net/kolla-ansible/+bug/1854932 -# and https://review.opendev.org/466098 for details -# NOTE(jan.gutter): etcd v3.4 removed the default `v3alpha` api_version. Until -# tooz defaults to a newer version, we should explicitly specify `v3` -backend_url = etcd3+{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ etcd_client_port }}?api_version=v3{% if openstack_cacert %}?ca_cert={{ openstack_cacert }}{% endif %} -{% endif %} - -{% if ironic_inspector_known_devices_file_path is defined %} -[accelerators] -known_devices = /etc/ironic-inspector/known_devices.yaml -{% endif %} - -[oslo_concurrency] -lock_path = /var/lib/ironic-inspector/tmp diff --git a/ansible/roles/ironic/templates/ironic-inspector.json.j2 b/ansible/roles/ironic/templates/ironic-inspector.json.j2 deleted file mode 100644 index 22d6c4c53b..0000000000 --- a/ansible/roles/ironic/templates/ironic-inspector.json.j2 +++ /dev/null @@ -1,28 +0,0 @@ -{ - "command": "ironic-inspector --config-file /etc/ironic-inspector/inspector.conf", - "config_files": [ - { - "source": "{{ container_config_directory }}/inspector.conf", - "dest": "/etc/ironic-inspector/inspector.conf", - "owner": "ironic-inspector", - "perm": "0600" - }{% if ironic_inspector_policy_file is defined %}, - { - "source": "{{ container_config_directory }}/{{ ironic_inspector_policy_file }}", - "dest": "/etc/ironic-inspector/{{ ironic_inspector_policy_file }}", - "owner": "ironic-inspector", - "perm": "0600" - }{% endif %}{% if ironic_inspector_known_devices_file_path is defined %}, - { - "source": "{{ container_config_directory }}/known_devices.yaml", - "dest": "/etc/ironic-inspector/known_devices.yaml", - "owner": "ironic-inspector", - }{% endif %}{% if kolla_copy_ca_into_containers | bool %}, - { - "source": "{{ container_config_directory }}/ca-certificates", - "dest": "/var/lib/kolla/share/ca-certificates", - "owner": "root", - "perm": "0600" - }{% endif %} - ] -} diff --git a/ansible/roles/ironic/templates/ironic-tftp.json.j2 b/ansible/roles/ironic/templates/ironic-tftp.json.j2 index 8526aea56b..69fdbabdec 100644 --- a/ansible/roles/ironic/templates/ironic-tftp.json.j2 +++ b/ansible/roles/ironic/templates/ironic-tftp.json.j2 @@ -4,7 +4,7 @@ { "command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address {{ ironic_tftp_listen_address }}:69 --map-file /map-file /var/lib/ironic/tftpboot", "config_files": [ -{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %} +{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-dnsmasq'] | length > 0 %} { "source": "{{ container_config_directory }}/ironic-agent.kernel", "dest": "/var/lib/ironic/tftpboot/ironic-agent.kernel", diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index d849ede8b7..fcf130bf76 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -155,23 +155,6 @@ valid_interfaces = internal cafile = {{ openstack_cacert }} {% endif %} -[inspector] -{% if ironic_enable_keystone_integration | bool %} -auth_url = {{ keystone_internal_url }} -auth_type = password -project_domain_id = {{ default_project_domain_id }} -user_domain_id = default -project_name = service -username = {{ ironic_keystone_user }} -password = {{ ironic_keystone_password }} -region_name = {{ openstack_region_name }} -valid_interfaces = internal -cafile = {{ openstack_cacert }} -{% else %} -auth_type = none -endpoint_override = {{ ironic_inspector_internal_endpoint }} -{% endif %} - [service_catalog] {% if ironic_enable_keystone_integration | bool %} auth_url = {{ keystone_internal_url }} diff --git a/ansible/roles/ironic/templates/pxelinux.default.j2 b/ansible/roles/ironic/templates/pxelinux.default.j2 index 3b5b6ce75b..d4b410f0ae 100644 --- a/ansible/roles/ironic/templates/pxelinux.default.j2 +++ b/ansible/roles/ironic/templates/pxelinux.default.j2 @@ -3,6 +3,6 @@ default introspect label introspect kernel ironic-agent.kernel -append initrd=ironic-agent.initramfs ipa-inspection-callback-url={{ ironic_inspector_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes {{ ironic_inspector_kernel_cmdline_extras | join(' ') }} +append initrd=ironic-agent.initramfs ipa-inspection-callback-url={{ ironic_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes {{ ironic_kernel_cmdline_extras | join(' ') }} ipappend 3 diff --git a/ansible/roles/loadbalancer/tasks/precheck.yml b/ansible/roles/loadbalancer/tasks/precheck.yml index ef13df2b21..7d4fc4bbf7 100644 --- a/ansible/roles/loadbalancer/tasks/precheck.yml +++ b/ansible/roles/loadbalancer/tasks/precheck.yml @@ -435,19 +435,6 @@ - haproxy_stat.find('ironic_api') == -1 - haproxy_vip_prechecks -- name: Checking free port for Ironic Inspector HAProxy - wait_for: - host: "{{ kolla_internal_vip_address }}" - port: "{{ ironic_inspector_port }}" - connect_timeout: 1 - timeout: 1 - state: stopped - when: - - enable_ironic | bool - - inventory_hostname in groups['loadbalancer'] - - haproxy_stat.find('ironic_inspector') == -1 - - haproxy_vip_prechecks - - name: Checking free port for Keystone Internal HAProxy wait_for: host: "{{ kolla_internal_vip_address }}" diff --git a/ansible/roles/loadbalancer/tasks/upgrade.yml b/ansible/roles/loadbalancer/tasks/upgrade.yml index 50fdd02aa6..88e10327eb 100644 --- a/ansible/roles/loadbalancer/tasks/upgrade.yml +++ b/ansible/roles/loadbalancer/tasks/upgrade.yml @@ -27,4 +27,13 @@ when: - inventory_hostname in groups['loadbalancer'] +# TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release +- name: Removing config for ironic-inspector + file: + path: "{{ node_config_directory }}/haproxy/services.d/ironic-inspector.cfg" + state: "absent" + become: true + when: + - inventory_hostname in groups['loadbalancer'] + - import_tasks: deploy.yml diff --git a/ansible/roles/prometheus/defaults/main.yml b/ansible/roles/prometheus/defaults/main.yml index 12420d636f..f36fc0efbf 100644 --- a/ansible/roles/prometheus/defaults/main.yml +++ b/ansible/roles/prometheus/defaults/main.yml @@ -250,8 +250,6 @@ prometheus_blackbox_exporter_endpoints_default: - endpoints: - "ironic:os_endpoint:{{ ironic_public_endpoint }}" - "{{ ('ironic_internal:os_endpoint:' + ironic_internal_endpoint) if not kolla_same_external_internal_vip | bool }}" - - "ironic_inspector:os_endpoint:{{ ironic_inspector_public_endpoint }}" - - "{{ ('ironic_inspector_internal:os_endpoint:' + ironic_inspector_internal_endpoint) if not kolla_same_external_internal_vip | bool }}" enabled: "{{ enable_ironic | bool }}" - endpoints: - "keystone:os_endpoint:{{ keystone_public_url }}" diff --git a/ansible/roles/service-ks-register/tasks/main.yml b/ansible/roles/service-ks-register/tasks/main.yml index d35525d6cc..58a3081254 100644 --- a/ansible/roles/service-ks-register/tasks/main.yml +++ b/ansible/roles/service-ks-register/tasks/main.yml @@ -64,15 +64,19 @@ retries: "{{ service_ks_register_retries }}" delay: "{{ service_ks_register_delay }}" - - name: "{{ project_name }} | Creating users" + - name: "{{ project_name }} | Creating/deleting users" kolla_toolbox: container_engine: "{{ kolla_container_engine }}" module_name: openstack.cloud.identity_user module_args: default_project: "{{ item.project }}" name: "{{ item.user }}" - password: "{{ item.password }}" - update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}" + password: "{{ item.password | default(omit) }}" + update_password: >- + {{ 'always' if + update_keystone_service_user_passwords | bool and + item.password is defined + else 'on_create' }} domain: "{{ service_ks_register_domain }}" region_name: "{{ service_ks_register_region_name }}" auth: "{{ service_ks_register_auth }}" diff --git a/ansible/site.yml b/ansible/site.yml index 6c8755e808..8dbaa39bc3 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -552,7 +552,6 @@ hosts: - ironic-api - ironic-conductor - - ironic-inspector - ironic-tftp - ironic-http - '&enable_ironic_True' diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst index 62fc93673d..d7a5ee90b7 100644 --- a/doc/source/reference/bare-metal/ironic-guide.rst +++ b/doc/source/reference/bare-metal/ironic-guide.rst @@ -26,7 +26,7 @@ define a network to be used for the Ironic cleaning network: ironic_dnsmasq_interface: "eth1" ironic_cleaning_network: "public1" -Finally, define at least one DHCP range for Ironic inspector: +Finally, define at least one DHCP range for Ironic inspection: .. code-block:: yaml @@ -76,7 +76,7 @@ The default lease time for each range can be configured globally via ``ironic_dnsmasq_dhcp_default_lease_time`` variable or per range via ``lease_time`` parameter. -In the same file, specify the PXE bootloader file for Ironic Inspector. The +In the same file, specify the PXE bootloader file for Ironic inspection. The file is relative to the ``/var/lib/ironic/tftpboot`` directory. The default is ``pxelinux.0``, and should be correct for x86 systems. Other platforms may require a different value, for example aarch64 on Debian requires @@ -86,7 +86,7 @@ require a different value, for example aarch64 on Debian requires ironic_dnsmasq_boot_file: pxelinux.0 -Ironic inspector also requires a deploy kernel and ramdisk to be placed in +Ironic inspection also requires a deploy kernel and ramdisk to be placed in ``/etc/kolla/config/ironic/``. The following example uses coreos which is commonly used in Ironic deployments, though any compatible kernel/ramdisk may be used: @@ -103,7 +103,7 @@ You may optionally pass extra kernel parameters to the inspection kernel using: .. code-block:: yaml - ironic_inspector_kernel_cmdline_extras: ['ipa-lldp-timeout=90.0', 'ipa-collect-lldp=1'] + ironic_kernel_cmdline_extras: ['ipa-lldp-timeout=90.0', 'ipa-collect-lldp=1'] in ``/etc/kolla/globals.yml``. @@ -120,7 +120,7 @@ Revert to plain PXE (not recommended) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Starting with Yoga, Ironic has changed the default PXE from plain PXE to iPXE. Kolla Ansible follows this upstream decision by choosing iPXE as the default -for Ironic Inspector but allows users to revert to the previous default of +for Ironic inspection but allows users to revert to the previous default of plain PXE by setting the following in ``/etc/kolla/globals.yml``: @@ -215,7 +215,7 @@ Post-deployment configuration The :ironic-doc:`Ironic documentation ` describes how to create the deploy kernel and ramdisk and register them with Glance. In this example we're reusing the same images that were fetched for the -Inspector: +inspection: .. code-block:: console diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 8a092c238a..cb0e651d59 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -639,14 +639,14 @@ workaround_ansible_issue_8743: yes ############################# # Ironic options ############################# -# dnsmasq bind interface for Ironic Inspector, by default is network_interface +# dnsmasq bind interface for Ironic inspection, by default is network_interface #ironic_dnsmasq_interface: "{{ network_interface }}" # The following value must be set when enabling ironic, the value format is a # list of ranges - at least one must be configured, for example: # - range: 192.168.0.10,192.168.0.100 # See Kolla Ansible docs on Ironic for details. #ironic_dnsmasq_dhcp_ranges: -# PXE bootloader file for Ironic Inspector, relative to /var/lib/ironic/tftpboot. +# PXE bootloader file for Ironic inspection, relative to /var/lib/ironic/tftpboot. #ironic_dnsmasq_boot_file: "pxelinux.0" # Configure ironic upgrade option, due to currently kolla support @@ -657,7 +657,7 @@ workaround_ansible_issue_8743: yes #ironic_enable_rolling_upgrade: "yes" # List of extra kernel parameters passed to the kernel used during inspection -#ironic_inspector_kernel_cmdline_extras: [] +#ironic_kernel_cmdline_extras: [] # Valid options are [ '', redis, etcd ] #ironic_coordination_backend: "{{ 'redis' if enable_redis|bool else 'etcd' if enable_etcd|bool else '' }}" diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index 70ab8b5671..8647dd9d29 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -96,9 +96,6 @@ heat_domain_admin_password: ironic_database_password: ironic_keystone_password: -ironic_inspector_database_password: -ironic_inspector_keystone_password: - magnum_database_password: magnum_keystone_password: diff --git a/releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml b/releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml new file mode 100644 index 0000000000..a912433e94 --- /dev/null +++ b/releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The ``ironic-inspector`` deployment support has been dropped following + retirement of that service in ``Ironic`` project. + ``ironic_inspector_kernel_cmdline_extras`` has been renamed to + ``ironic_kernel_cmdline_extras`` and ``ironic_inspector_pxe_filter`` + has been renamed to ``ironic_pxe_filter``. + Also the ``inspector.ipxe`` file has been renamed to ``ipa.ipxe``. + - | + ``bifrost`` support for deploying legacy ironic inspector has been + dropped together with ``bifrost_enable_ironic_inspector`` variable. diff --git a/roles/openstack-clients/defaults/main.yml b/roles/openstack-clients/defaults/main.yml index 52a5c88851..d335a3ef1d 100644 --- a/roles/openstack-clients/defaults/main.yml +++ b/roles/openstack-clients/defaults/main.yml @@ -8,8 +8,6 @@ openstack_clients_pip_packages: enabled: true - package: python-ironicclient enabled: "{{ scenario == 'ironic' }}" - - package: python-ironic-inspector-client - enabled: "{{ scenario == 'ironic' }}" - package: python-magnumclient enabled: "{{ scenario == 'magnum' }}" - package: python-masakariclient diff --git a/tests/get_logs.sh b/tests/get_logs.sh index 55dbca03fb..8633ec1c36 100644 --- a/tests/get_logs.sh +++ b/tests/get_logs.sh @@ -123,7 +123,7 @@ copy_logs() { # bifrost related logs if [[ $(${CONTAINER_ENGINE} ps --filter name=bifrost_deploy --format "{{.Names}}") ]]; then - for service in dnsmasq ironic ironic-api ironic-conductor ironic-inspector mariadb nginx; do + for service in dnsmasq ironic ironic-api ironic-conductor mariadb nginx; do mkdir -p ${LOG_DIR}/kolla/$service ${CONTAINER_ENGINE} exec bifrost_deploy systemctl status $service > ${LOG_DIR}/kolla/$service/systemd-status-$service.txt done @@ -136,12 +136,6 @@ copy_logs() { ${CONTAINER_ENGINE} exec haproxy bash -c 'echo show stat | socat stdio /var/lib/kolla/haproxy/haproxy.sock' > ${LOG_DIR}/kolla/haproxy/stats.txt fi - # FIXME: remove - if [[ $(${CONTAINER_ENGINE} ps -a --filter name=ironic_inspector --format "{{.Names}}") ]]; then - mkdir -p ${LOG_DIR}/kolla/ironic-inspector - ls -lR ${VOLUMES_DIR}/ironic_inspector_dhcp_hosts > ${LOG_DIR}/kolla/ironic-inspector/var-lib-ls.txt - fi - for container in $(${CONTAINER_ENGINE} ps -a --format "{{.Names}}"); do ${CONTAINER_ENGINE} logs --timestamps --tail=${LOGS_TAIL_PARAMETER} ${container} &> ${LOG_DIR}/container_logs/${container}.txt done diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2 index 9a5c879f89..ca98719a89 100644 --- a/tests/templates/inventory.j2 +++ b/tests/templates/inventory.j2 @@ -410,9 +410,15 @@ ironic [ironic-conductor:children] ironic +{# NOTE(mnasiadka): Remove in Gazpacho/2026.1 release #} +{% if is_upgrade | bool %} [ironic-inspector:children] ironic +{% endif %} +[ironic-dnsmasq:children] +ironic + [ironic-tftp:children] ironic diff --git a/tests/templates/ironic-overrides.j2 b/tests/templates/ironic-overrides.j2 index 19aa737aa6..be944b3072 100644 --- a/tests/templates/ironic-overrides.j2 +++ b/tests/templates/ironic-overrides.j2 @@ -1,5 +1,10 @@ +[DEFAULT] +enabled_inspect_interfaces = no-inspect, agent +default_inspect_interface = agent + [neutron] cleaning_network = public1 +inspection_network = public1 provisioning_network = public1 # This IPMI configuration has been taken from the metal3.io ironic-image diff --git a/tests/test-ironic.sh b/tests/test-ironic.sh index b182dcc52d..fc3d3c7d6d 100755 --- a/tests/test-ironic.sh +++ b/tests/test-ironic.sh @@ -19,7 +19,7 @@ function test_ironic_logged { # Smoke test ironic API. openstack --os-cloud kolla-admin-system-internal baremetal driver list - openstack baremetal node list + openstack --os-cloud kolla-admin-system-internal baremetal node list openstack baremetal port list openstack baremetal node show tk0 @@ -27,14 +27,43 @@ function test_ironic_logged { openstack baremetal node show tk0 openstack baremetal node manage tk0 openstack baremetal node show tk0 - openstack baremetal node provide tk0 - openstack baremetal node show tk0 openstack baremetal node validate tk0 - echo "TESTING: Server creation" - openstack server create --image cirros --flavor test-rc --key-name mykey --network public1 kolla_bm_boot_test + echo "TESTING: Server inspection" + openstack baremetal node inspect tk0 local attempt attempt=1 + while [[ $(openstack baremetal node show tk0 -f value -c provision_state) != "manageable" ]]; do + echo "Server not yet manageable, check $attempt - retrying" + attempt=$((attempt+1)) + if [[ $attempt -eq 16 ]]; then + echo "FAILED: Server did not finish inspection after $attempt checks" + openstack baremetal node show tk0 + return 1 + fi + sleep 60 + done + openstack baremetal node inventory save tk0 + echo "" + echo "SUCCESS: Server inspection" + + echo "TESTING: Server creation" + openstack baremetal node provide tk0 + attempt=1 + while [[ $(openstack baremetal node show tk0 -f value -c provision_state) != "available" ]]; do + echo "Server not yet available, check $attempt - retrying" + attempt=$((attempt+1)) + if [[ $attempt -eq 16 ]]; then + echo "FAILED: Server did not get to available state after $attempt checks" + openstack baremetal node show tk0 + return 1 + fi + sleep 60 + done + # NOTE(mnasiadka): Wait for nova-compute-ironic to pick up the new node + sleep 60 + openstack server create --image cirros --flavor test-rc --key-name mykey --network public1 kolla_bm_boot_test + attempt=1 while [[ $(openstack server show kolla_bm_boot_test -f value -c status) != "ACTIVE" ]]; do echo "Server not yet active, check $attempt - retrying" attempt=$((attempt+1)) diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index bc59cde853..e416ce8452 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -359,6 +359,30 @@ vars: base_distro: ubuntu +- job: + name: kolla-ansible-rocky9-ironic-upgrade + parent: kolla-ansible-ironic-base + nodeset: kolla-ansible-rocky9 + vars: + base_distro: rocky + is_upgrade: true + +- job: + name: kolla-ansible-debian-ironic-upgrade + parent: kolla-ansible-ironic-base + nodeset: kolla-ansible-debian-bookworm-16GB + vars: + base_distro: debian + is_upgrade: true + +- job: + name: kolla-ansible-ubuntu-ironic-upgrade + parent: kolla-ansible-ironic-base + nodeset: kolla-ansible-ubuntu-noble-8GB + vars: + base_distro: ubuntu + is_upgrade: true + - job: name: kolla-ansible-rocky9-magnum parent: kolla-ansible-magnum-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 609201a2c3..0f7a18e536 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -25,6 +25,8 @@ - kolla-ansible-ubuntu-masakari - kolla-ansible-debian-ironic - kolla-ansible-ubuntu-ironic + - kolla-ansible-debian-ironic-upgrade + - kolla-ansible-ubuntu-ironic-upgrade - kolla-ansible-debian-upgrade - kolla-ansible-ubuntu-upgrade - kolla-ansible-ubuntu-cells