Allow chainloading of Inspector ramdisk over UEFI

To send the Inspector ramdisk over HTTP rather than TFTP, we must first
send an iPXE boot image that knows how to speak HTTP, and then instruct
it to "chainload" the inspector ramdisk. Previously, we could only do
this if the machine being introspected had BIOS firmware. However, most
modern servers now use UEFI firmware, which requires a different iPXE
boot image (as described at http://ipxe.org/howto/chainloading).

We must specify the initrd in the iPXE `kernel` line to avoid the
problem described at http://forum.ipxe.org/showthread.php?tid=7589.

Change-Id: I9cb102178bee8039a8cfc157154ecbd315aba871

manifests/inspector.pp

@@ -29,6 +29,10 @@
 #  (optional) Protocol to be used for transferring the ramdisk
 #  Defaults to 'tftp'. Valid values are 'tftp' or 'http'.
 #
+# [*enable_uefi*]
+# (optional) Allow introspection of machines with UEFI firmware.
+# Defaults to false. Ignored unless $pxe_transfer_protocol='http'.
+#
 # [*debug*]
 #   (optional) Enable debug logging
 #   Defaults to undef
@@ -146,6 +150,7 @@ class ironic::inspector (
   $package_ensure                  = 'present',
   $enabled                         = true,
   $pxe_transfer_protocol           = 'tftp',
+  $enable_uefi                     = false,
   $debug                           = undef,
   $auth_uri                        = 'http://127.0.0.1:5000/v2.0',
   $identity_uri                    = 'http://127.0.0.1:35357',
@@ -220,6 +225,20 @@ class ironic::inspector (
       content => template('ironic/inspector_ipxe.erb'),
       require => Package['ironic-inspector'],
     }
+    $bios_ipxe_file = '/tftpboot/undionly.kpxe'
+    exec { 'test BIOS iPXE image present':
+      path    => '/bin:/usr/bin',
+      command => 'exit 1',
+      unless  => "test -f ${bios_ipxe_file}",
+    }
+    if $enable_uefi {
+      $uefi_ipxe_file = '/tftpboot/ipxe.efi'
+      exec { 'test UEFI iPXE image present':
+        path    => '/bin:/usr/bin',
+        command => 'exit 1',
+        unless  => "test -f ${uefi_ipxe_file}",
+      }
+    }
   }
 
   # Configure inspector.conf

spec/classes/ironic_inspector_spec.rb

@@ -24,6 +24,7 @@ describe 'ironic::inspector' do
     { :package_ensure                  => 'present',
       :enabled                         => true,
       :pxe_transfer_protocol           => 'tftp',
+      :enable_uefi                     => false,
       :auth_uri                        => 'http://127.0.0.1:5000/v2.0',
       :identity_uri                    => 'http://127.0.0.1:35357',
       :admin_user                      => 'ironic',
@@ -129,6 +130,14 @@ describe 'ironic::inspector' do
       )
     end
 
+    it 'should not test for BIOS iPXE image by default' do
+      is_expected.to_not contain_exec('test BIOS iPXE image present')
+    end
+
+    it 'should not test for UEFI iPXE image by default' do
+      is_expected.to_not contain_exec('test UEFI iPXE image present')
+    end
+
     context 'when overriding parameters' do
       before :each do
         params.merge!(
@@ -143,6 +152,7 @@ describe 'ironic::inspector' do
           :pxe_transfer_protocol        => 'http',
           :additional_processing_hooks  => 'hook1,hook2',
           :ramdisk_kernel_args          => 'foo=bar',
+          :enable_uefi                  => true,
         )
       end
       it 'should replace default parameter with new value' do
@@ -174,6 +184,22 @@ describe 'ironic::inspector' do
             /kernel http:\/\/192.168.0.1:8088\/agent.kernel ipa-inspection-callback-url=http:\/\/192.168.0.1:5050\/v1\/continue ipa-inspection-collectors=default.* foo=bar/
         )
       end
+
+      it 'should test for BIOS iPXE image' do
+        is_expected.to contain_exec('test BIOS iPXE image present').with(
+          :path    => '/bin:/usr/bin',
+          :command => 'exit 1',
+          :unless  => 'test -f /tftpboot/undionly.kpxe'
+        )
+      end
+
+      it 'should test for UEFI iPXE image' do
+        is_expected.to contain_exec('test UEFI iPXE image present').with(
+          :path    => '/bin:/usr/bin',
+          :command => 'exit 1',
+          :unless  => 'test -f /tftpboot/ipxe.efi'
+        )
+      end
     end
   end
 

templates/inspector_dnsmasq_http.erb

@@ -4,7 +4,16 @@ bind-interfaces
 dhcp-range=<%= @dnsmasq_ip_range %>,29
 enable-tftp
 tftp-root=/tftpboot
-dhcp-match=ipxe,175
-dhcp-boot=tag:!ipxe,undionly.kpxe,localhost.localdomain,<%= @dnsmasq_local_ip %>
-dhcp-boot=tag:ipxe,http://<%= @dnsmasq_local_ip %>:8088/inspector.ipxe
 dhcp-sequential-ip
+dhcp-match=ipxe,175
+<% if @enable_uefi -%>
+dhcp-match=set:efi,option:client-arch,7
+<% end -%>
+# Client is running iPXE; move to next stage of chainloading
+dhcp-boot=tag:ipxe,http://<%= @dnsmasq_local_ip %>:8088/inspector.ipxe
+<% if @enable_uefi -%>
+# Client is running PXE over EFI; send EFI version of iPXE chainloader
+dhcp-boot=tag:efi,ipxe.efi
+# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
+<% end -%>
+dhcp-boot=undionly.kpxe,localhost.localdomain,<%= @dnsmasq_local_ip %>

templates/inspector_ipxe.erb

@@ -2,6 +2,6 @@
 
 dhcp
 
-kernel http://<%= @dnsmasq_local_ip %>:8088/agent.kernel ipa-inspection-callback-url=http://<%= @dnsmasq_local_ip %>:5050/v1/continue ipa-inspection-collectors=<%= @ramdisk_collectors %> systemd.journald.forward_to_console=yes BOOTIF=${mac} <%= @ramdisk_kernel_args %>
+kernel http://<%= @dnsmasq_local_ip %>:8088/agent.kernel ipa-inspection-callback-url=http://<%= @dnsmasq_local_ip %>:5050/v1/continue ipa-inspection-collectors=<%= @ramdisk_collectors %> systemd.journald.forward_to_console=yes BOOTIF=${mac} <%= @ramdisk_kernel_args %> initrd=agent.ramdisk
 initrd http://<%= @dnsmasq_local_ip %>:8088/agent.ramdisk
 boot