Skip to content

Commit

Permalink
Complete remove support for ironic-inspector
Browse files Browse the repository at this point in the history
Signed-off-by: Dmitry Tantsur <[email protected]>
  • Loading branch information
dtantsur committed Mar 6, 2024
1 parent 6664e02 commit c5a3d7d
Show file tree
Hide file tree
Showing 17 changed files with 34 additions and 344 deletions.
9 changes: 2 additions & 7 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ ARG INSTALL_TYPE=source
# build arguments for source build customization
ARG UPPER_CONSTRAINTS_FILE
ARG IRONIC_SOURCE
ARG IRONIC_INSPECTOR_SOURCE
ARG IRONIC_LIB_SOURCE
ARG SUSHY_SOURCE

Expand Down Expand Up @@ -59,15 +58,11 @@ COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2

# IRONIC-INSPECTOR #
RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
# DATABASE
RUN mkdir -p /var/lib/ironic && \
sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal" && \
dnf remove -y sqlite

COPY ironic-inspector-config/ironic-inspector.conf.j2 /etc/ironic-inspector/
COPY ironic-inspector-config/inspector-apache.conf.j2 /etc/httpd/conf.d/

# configure non-root user and set relevant permissions
RUN configure-nonroot.sh && \
rm -f /bin/configure-nonroot.sh
7 changes: 2 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,6 @@ functionality:
Defaults to use `IRONIC_EXTERNAL_IP` if available.
- `IRONIC_EXTERNAL_HTTP_URL` - Override Ironic's external http URL. Defaults to
use `IRONIC_EXTERNAL_IP` if available.
- `IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE` - Override Inspector's callback
URL. Defaults to use `IRONIC_EXTERNAL_IP` if available.
- `IRONIC_ENABLE_VLAN_INTERFACES` - Which VLAN interfaces to enable on the
agent start-up. Can be a list of interfaces or a special value `all`.
Defaults to `all`.
Expand Down Expand Up @@ -121,9 +119,8 @@ podman build -t ironic-image -f Dockerfile --build-arg INSTALL_TYPE=rpm
## Custom source for ironic software

When building the ironic image from source, it is also possible to specify a
different source for ironic, ironic-inspector, ironic-lib or the sushy library
using the build arguments **IRONIC_SOURCE**, **IRONIC_INSPECTOR_SOURCE**,
**IRONIC_LIB_SOURCE**, and **SUSHY_SOURCE**.
different source for ironic, ironic-lib or the sushy library using the build
arguments **IRONIC_SOURCE**, **IRONIC_LIB_SOURCE**, and **SUSHY_SOURCE**.
The accepted formats are gerrit refs, like _refs/changes/89/860689/2_,
commit hashes, like _a1fe6cb41e6f0a1ed0a43ba5e17745714f206f1f_,
repo tags or branches, or a local directory that needs to be under the
Expand Down
21 changes: 9 additions & 12 deletions configure-nonroot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# This script changes permissions to allow Ironic container to run as non-root
# user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
# ironic-inspector and ironic-log-watch via BMO's ironic k8s manifest, it has
# and ironic-log-watch via BMO's ironic k8s manifest, it has
# to be configured to work with multiple different users and groups, while they
# share files via bind mounts (/shared, /certs/*), which can only get one
# group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
Expand All @@ -14,29 +14,26 @@ set -eux
# user and group are from ironic rpms (uid 997, gid 994)
IRONIC_USER="ironic"
IRONIC_GROUP="ironic"
INSPECTOR_GROUP="ironic-inspector"

# most containers mount /shared but dnsmasq can live without it
mkdir -p /shared
chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /shared
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared

# we'll bind mount shared ca and ironic/inspector certificate dirs here
# we'll bind mount shared ca and ironic certificate dirs here
# that need to have correct ownership as the entire ironic in BMO
# deployment shares a single fsGroup in manifest's securityContext
mkdir -p /certs/ca
chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /certs{,/ca}
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
chmod 2775 /certs{,/ca}

# ironic, inspector and httpd related changes
# ironic and httpd related changes
chown -R root:"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
chown -R "${IRONIC_USER}":"${INSPECTOR_GROUP}" /etc/ironic-inspector
chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*

chown -R root:"${IRONIC_GROUP}" /var/lib/ironic
chown -R root:"${INSPECTOR_GROUP}" /var/lib/ironic-inspector
chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
chmod 2775 /var/lib/ironic
chmod 664 /var/lib/ironic/ironic.db

# dnsmasq, and the capabilities required to run it as non-root user
chown -R root:"${IRONIC_GROUP}" /etc/dnsmasq.conf /var/lib/dnsmasq
Expand Down
11 changes: 4 additions & 7 deletions docs/releasing.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,10 @@ Things you should check before making a release:
[Metal3 release process](https://github.com/metal3-io/metal3-docs/blob/main/processes/releasing.md)
for high-level process and possible follow-up actions
- Verify the latest bugfix or stable branches (which is the most recent) in ironic
and ironic-inspector upstream repositories;
upstream repository;
- Verify compatibility with latest sushy and ironic-lib upstream releases or master
branches based on ironic and ironic-inspector bugfix or stable requirements
and constraints
- Verify openstack upper-constraints compatibility with ironic and ironic-inspector
bugfix or stable branches
branches based on ironic bugfix or stable requirements and constraints
- Verify openstack upper-constraints compatibility with ironic bugfix or stable branches
- Verify any other direct or indirect dependency is uplifted to close any public
vulnerabilities

Expand Down Expand Up @@ -63,8 +61,7 @@ or if using existing repository, verify your intended remote is set to
to replace the placeholder; if the ironic branch is a stable branch
we should use the corresponding file from the same stable branch, in
case of a bugfix branch we can use the current one from master
- Pin ironic and ironic-inspector to match the corresponding bugfix or
stable branches
- Pin ironic to match the corresponding bugfix or stable branches

### Tags

Expand Down
18 changes: 3 additions & 15 deletions ironic-config/ironic.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@
auth_strategy = noauth
debug = true
default_deploy_interface = direct
default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
default_inspect_interface = agent
default_network_interface = noop
enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
# NOTE(dtantsur): when changing this, make sure to update the driver
# dependencies in Dockerfile.
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,ibmc,manual-management,ilo,ilo5
enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
enabled_inspect_interfaces = agent,idrac-wsman,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ibmc,ilo,ilo5,noop
enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ibmc,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,ibmc,idrac-wsman,redfish,idrac-redfish,ilo5
Expand Down Expand Up @@ -142,24 +142,12 @@ power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
# Also keep in mind that only parameters unique for inspection go here.
# No need to duplicate pxe_append_params/kernel_append_params.
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1

{% if env.USE_IRONIC_INSPECTOR == "true" %}
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
{% endif %}
{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
{% endif %}
{% else %}
hooks = $default_hooks,parse-lldp
add_ports = all
keep_ports = present
{% endif %}

[auto_discovery]
enabled = {{ env.IRONIC_INSPECTOR_ENABLE_DISCOVERY }}
enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
driver = ipmi

[ipmi]
Expand Down
57 changes: 0 additions & 57 deletions ironic-inspector-config/inspector-apache.conf.j2

This file was deleted.

68 changes: 0 additions & 68 deletions ironic-inspector-config/ironic-inspector.conf.j2

This file was deleted.

1 change: 0 additions & 1 deletion ironic-rpm-list
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ crudini
openstack-ironic
openstack-ironic-api
openstack-ironic-conductor
openstack-ironic-inspector
python3-dracclient
python3-gunicorn
python3-ibmcclient
Expand Down
9 changes: 0 additions & 9 deletions ironic-source-list
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,6 @@ ironic @ git+https://opendev.org/openstack/ironic@{{ env.IRONIC_SOURCE }}
{% else %}
ironic @ git+https://opendev.org/openstack/ironic
{% endif %}
{% if env.IRONIC_INSPECTOR_SOURCE %}
{% if path.isdir('/sources/' + env.IRONIC_INSPECTOR_SOURCE) %}
git+file:///sources/{{ env.IRONIC_INSPECTOR_SOURCE }}
{% else %}
ironic-inspector @ git+https://opendev.org/openstack/ironic-inspector@{{ env.IRONIC_INSPECTOR_SOURCE }}
{% endif %}
{% else %}
ironic-inspector @ git+https://opendev.org/openstack/ironic-inspector
{% endif %}
{% if env.IRONIC_LIB_SOURCE %}
{% if path.isdir('/sources/' + env.IRONIC_LIB_SOURCE) %}
git+file:///sources/{{ env.IRONIC_LIB_SOURCE }}
Expand Down
13 changes: 4 additions & 9 deletions prepare-image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,6 @@ if [[ "$INSTALL_TYPE" == "source" ]]; then
# emulate uid/gid configuration to match rpm install
IRONIC_UID=997
IRONIC_GID=994
INSPECTOR_UID=996
INSPECTOR_GID=993
BUILD_DEPS="python3-devel gcc git-core python3-setuptools python3-jinja2"
dnf upgrade -y
# NOTE(dtantsur): pip is a requirement of python3 in CentOS
Expand Down Expand Up @@ -60,12 +58,10 @@ if [[ "$INSTALL_TYPE" == "source" ]]; then

python3 -m pip install --ignore-installed --prefix /usr -r "$IRONIC_PKG_LIST_FINAL" -c "${UPPER_CONSTRAINTS_PATH}"

# ironic and ironic-inspector system configuration
mkdir -p /var/log/ironic /var/log/ironic-inspector /var/lib/ironic /var/lib/ironic-inspector
# ironic system configuration
mkdir -p /var/log/ironic /var/lib/ironic
getent group ironic > /dev/null || groupadd -r ironic -g "${IRONIC_GID}"
getent passwd ironic > /dev/null || useradd -r -g ironic -u "${IRONIC_UID}" -s /sbin/nologin ironic -d /var/lib/ironic
getent group ironic-inspector > /dev/null || groupadd -r ironic-inspector -g "${INSPECTOR_GID}"
getent passwd ironic-inspector > /dev/null || useradd -r -g ironic-inspector -u "${INSPECTOR_UID}" -s /sbin/nologin ironic-inspector -d /var/lib/ironic-inspector

# clean installed build dependencies
# shellcheck disable=SC2086
Expand Down Expand Up @@ -93,11 +89,10 @@ chown ironic:ironic /var/log/ironic
rm -f /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.modules.d/*.conf

# RDO-provided configuration forces creating log files
rm -f /usr/share/ironic/ironic-dist.conf /etc/ironic-inspector/inspector-dist.conf
rm -f /usr/share/ironic/ironic-dist.conf

# add ironic and ironic-inspector to apache group
# add ironic to apache group
usermod -aG ironic apache
usermod -aG ironic-inspector apache

# apply patches if present #
if [[ -n "${PATCH_LIST:-}" ]]; then
Expand Down
18 changes: 0 additions & 18 deletions scripts/auth-common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,10 @@
set -euxo pipefail

export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}

IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd

configure_client_basic_auth()
{
Expand Down Expand Up @@ -48,24 +45,9 @@ configure_ironic_auth()
fi
}

configure_inspector_auth()
{
local config=/etc/ironic-inspector/ironic-inspector.conf
if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${config}" DEFAULT auth_strategy http_basic
crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
fi
fi
}

write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
fi
}
Loading

0 comments on commit c5a3d7d

Please sign in to comment.