Configuration of RPC for ironic-inspector was a bit of a mixed
bag, with some config fixed at defaults which are only relevant
for HA queues. This conforms it to the way the majority of
variables are managed.
Note that this changes the default for
ironic_inspector_oslomsg_rpc_use_ssl, but this should be set via
oslomsg_rpc_use_ssl anyway.
This also removes various unused inspector notification defaults.
Change-Id: I7edc658f57de5ffc6d4aa158b02d26fa3ad71c9d
The default nginx config file on centos/rocky includes a server
section listening on port 80 and [::]:80. There is no way to disable
this other than to adjust the configuration file.
This patch supplies a modified version of the centos nginx config
file which does not include a default server section.
A systemd drop in is installed to override the nginx service
ExecStart which starts the service using the modified configuration
file.
Change-Id: If7674a750e5316feb4d0fcff8cd0f4df7a67ffbb
See https://review.opendev.org/c/openstack/ironic/+/907148
Ironic enables oslo policy RBAC changes from 2024.1 by default.
Once enabled, in theory system scoped tokens are required for
various actions, but in practice this doesn't necessarily work
when interacting with other services.
New Ironic variables provide the means to continue with a
relatively standard deployment without having to make
far-reaching policy changes.
Change-Id: I2cb53414cce3a899a0db5f74e56798de95c6c4b1
Due to the shortcoming of QManager implementation [1], in case of uWSGI
usage on metal hosts, the flow ends up with having the same
hostname/processname set, making services to fight over same file
under SHM.
In order to avoid this, we prepend the hostname with a service_name.
We can not change processname instead, since it will lead to the fight
between different processes of the same service.
[1] https://bugs.launchpad.net/oslo.messaging/+bug/2065922
Change-Id: I562e8d0a65b12aa8ce88caea2d7e955f78c3bf33
During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
[1] https://review.opendev.org/q/topic:%22bug-2031497%22
Change-Id: Ia0d7ac84ced77511b82f28e409477e4d1589adb6
In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/914144
Change-Id: I9efc107116b149b75b2ed8b54335758e57d6dabc
It appears this was missed in patch
Ib8d53b394937405c821687b1c46b2b19112267dd
This patch conforms the other pxe config to use the same
inspector callback URL
Change-Id: I5eee7d054bb4eda70acbaab9885c3985efb04002
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I0f6ae74be36c0cb7a2270cfa1085c44e6dd4dc77
By overriding the variable `ironic_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the ironic backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: If97a857c36e9e3e7ad8a18926bb9cbf04189c7cb
This patch enables the native raid driver implementation for each
of the hardware types defined in `ironic_driver_types`. If necessary
this can be overridden in ironic.conf using config overrides.
Change-Id: I28b39b391d307e0a4aa71e13337f646d872925ec
This patch adds the `console` field to the ironic_driver_types
variable and then enables a set of console drivers in the ironic
config through the `enabled_console_interfaces` option.
If `ipmitool-socat` is one of the enabled drivers, then the socat
distro package is installed to support that.
Defaults are added for socat bind address and port range to
use.
[1] https://opendev.org/openstack/ironic/src/branch/master/doc/source/admin/upgrade-to-hardware-types.rst
Change-Id: I36dd1a0ec69e5702143a1a26bd5901fc88706e84
The directory for the tftp server defined consistently between ironic
and inspector, but not for the http directory.
This patch makes the definition of the http directory work the same
way as the tftp one.
Change-Id: I8d893faa31e5858c4923cb12ef453ec9397db5df
1) The variable to allow processing hooks to be configured is used
in the ironic-inspector template but not documented in the role defaults.
Add the default and an example of usage.
2) When using LLDP to discover switchport connections during
inspection it is necessary to pass an additional kernel parameter
to the deploy image but there is no variable to allow this to
happen. This patch adds a variable that the deployer can use
to pass arbitrary kernel parameters to the deploy image.
Change-Id: I2f67dfcf4164e009bf53e9324bd430aec4c97dcb
The deploy image is required in two places in an ironic deployment,
first as images uploaded to glance for the ironic service, and second
as files on a web server for the ironic-inspector service.
Previously this role only placed the deploy images on the ironic
inspector web server, but this patch provides the functionality to
also upload the images to glance.
The variables for ironic deploy image source locations are
consolidated so that only one set are required to run the tasks
for both ironic and ironic-inspector, and several overrides are
available allowing the source to be overidden to a local mirror
easily.
Finally - the name of the files placed on the inspector web server
and into glance represent the upstream name of the image files rather
than generic names which lose versioning and release information.
Change-Id: I1aed9d97a4ddbfb70d2375f5204c55374d1067c9
This config block must be set on the ironic-api service so that it
can authenticate with the ironic-inspector service. With no config
in this block on the ironic-api service there is just an auth
failure when trying to inspect a baremetal node.
Change-Id: I7a43b7a1a393591ec85c1c91d37171f8c090878b
For a simple unrouted network these do not exist, but the role
currently forces bogus values to be given for the dhcpd template.
Allow the values to be unset to reduce confusion.
Change-Id: I609a05c50d1de5668f2b092e3a3ef1015e944fe6
Define the callback URL in the role defaults so it can be specifically
overridden rather than needing to use config_template to override
the entire kernel parameters line in the inspector ipxe config.
Change-Id: Ib8d53b394937405c821687b1c46b2b19112267dd
Ironic has replaced deprecated pxe_append_params config option
with kernel_pxe_params. The ironic.conf template has been changed
accordingly, but support remains for config override
ironic_pxe_append_params.
Change-Id: Icedd2b8f0e81607caba93afd34557bd4c3a88b4d
The [keystone] configuration block no longer exists in ironic.conf
and was deprecated in Queens. Use 'region_name' option in the
following sections - '[service_catalog]', '[neutron]', '[glance]',
'[cinder]', '[swift]' and '[inspector]' to configure region for those
services individually.
Change-Id: I40a073f9aa6e40f35dffab6223308a18fa98e7ac
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I1d70c2c46fef6ffc0fcebe4b56a0ecdedc1d3298
This patchset aims to correct some design limitations with the current
ironic-inspector deploy process.
- a new ironic-inspector-dnsmasq service has been created to split
inspector-specific dnsmasq configuration out of the base dnsmasq
config files
- PXE/iPXE and UEFI support for ironic-inspector boot
- (todo) documentation improvements and diagrams
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823426
Change-Id: Ib5cbb28f97dd7421bfecb815def89305f3b1da33
The [glance]glance_api_servers configuration option has been deprecated
since Pike and removed in 2019 per Ironic commit
dcfb4f10f31c11afa350ef6418a0e12e6be6e5b2. Removing from ironic.conf
template.
Change-Id: I3b09514635ee0c8665c425bd1fe42fb594361a0e
The value for default_boot_interfaces must be supported by all
configured drivers, otherwise conductor won't start. This configuration
can be applied as an override by the operator, if necessary, rather
than OSA.
Change-Id: I780a1f130b0c695822ba50066247688bf4874dac
This patchset adds support for deploying instances using UEFI baremetal
nodes. UEFI may replace Legacy BIOS mode in future Ironic releases. Tested
with Ubuntu Focal 20.04 LTS.
Change-Id: I0fa6234ec7321e1d69901175baeab4ddb08afc50
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I1c90ce68ce218d538cd89b111dc1ee4142f14eef
This patch fixes at least one issue related to ironic-conductor and
its inability to report to Nova based on lack of Nova-related
configuration in ironic.conf.
Change-Id: I96aac9f0f2c1e9bdb6ebd601ee3546ad13e0d927
This patch allows ironic-inspector to listen on host IP
rather than 0.0.0.0, as well as allows an existing Neutron-managed
inspection network to be used for inspection traffic.
Change-Id: I645857ad62954f08b160e5889f93dc1f6423def2
This patchset adds support for iPXE, which can speed up baremetal
provisioning considerably due to the use of HTTP versus TFTP.
Change-Id: I8b49ae37a0380cd7a2191f050a52c85cc373026b
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: I7e3b2835f1cee2525b02960e2b7e4ee238373bcc
This commit enables and configures the Ironic Inspector. This feature
allows for baremetal nodes to be introspected. This provides useful
information about an Ironic host. Such information includes harware
and mac addresses.
Depends-On: https://review.opendev.org/680553
Change-Id: I2ee09d9cc20f9b8e4430c55129cd8bac9435299d
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: Ie79a7ba7d62504e9e81edbb386f8e52ce0a03074
This fixes the tftp service name on CentOS and makes sure that
the service is running on boot. It also makes sure that the
tftp_root is setup correctly for the default configuration
on CentOS.
Change-Id: I56944ea905b5ea908cf1e93d5ae1325e68788562
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.
Change-Id: Iaddb2c158a52d90025899d9bfa5576358bef92dd
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing
features or functionality. The intention of this change is to ensure
uniformity and reduce the maintenance burden on the community when
sweeping changes are needed. The exterior role is built to be OSA
compatible and may be pulled into tree should we deem it necessary.
Change-Id: I404639ae7ebd349d4a11fc5ce1ef3d2805833217
When ironic is connecting to another service's API, it should use
its own credentials to obtain an authtoken with keystone.
Without this patch, ironic deployment would fail with an undefined
variable "neutron_service_adminurl", which is not required.
It is not defined since a patch removed it from the group vars.
[1]: https://review.opendev.org/#/c/658178/
Change-Id: Ib8f67b195d1d74cc7997822fa1f5f0ac2176393d
In order to do a more complete verification of any patches,
we add a full uncontainerised OpenStack deployment to do the
functional testing using the integrated repo. This replaces
the previous functional test mechanism.
Any additional role tests are left as-is. They will require
some extra implementation in the integrated build before they
can be transferred.
In addition, policy-in-code is a thing in Ironic now so there
is no need to use a template-ized file.
Depends-On: https://review.openstack.org/647840
Depends-On: https://review.openstack.org/648502
Depends-On: https://review.openstack.org/648551
Depends-On: https://review.openstack.org/648575
Change-Id: I31747ea9273c435a3856c4fc277a2a25814c5b02
