From 28ff3bd09e22051562e188f7eebe61681c917e63 Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Thu, 29 Oct 2020 18:29:09 +0100
Subject: [PATCH] Redfish virtual media boot in UEFI

Change-Id: I2ed443bc4b74fa34b169f87f08b7f0a0b68144c0
Depends-On: https://review.opendev.org/760586
---
 playbooks/ci/run.yaml                         |  1 +
 .../bifrost-ironic-install/defaults/main.yml  |  2 +
 .../defaults/required_defaults_CentOS.yml     |  3 +
 .../required_defaults_Debian_family.yml       |  5 ++
 .../defaults/required_defaults_Fedora.yml     |  4 ++
 .../defaults/required_defaults_RedHat.yml     |  3 +
 .../required_defaults_RedHat_family.yml       |  3 +
 .../required_defaults_Suse_family.yml         |  7 +++
 .../defaults/required_defaults_Ubuntu.yml     |  3 +
 .../tasks/bootstrap.yml                       |  6 +-
 .../tasks/create_esp.yml                      | 55 +++++++++++++++++++
 .../templates/ironic.conf.j2                  |  7 +++
 .../notes/vmedia-uefi-ce34974eaacd571c.yaml   |  4 ++
 scripts/test-bifrost.sh                       |  8 +++
 zuul.d/bifrost-jobs.yaml                      |  8 +++
 zuul.d/project.yaml                           |  1 +
 16 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/roles/bifrost-ironic-install/defaults/required_defaults_CentOS.yml
 create mode 100644 playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat.yml
 create mode 100644 playbooks/roles/bifrost-ironic-install/tasks/create_esp.yml
 create mode 100644 releasenotes/notes/vmedia-uefi-ce34974eaacd571c.yaml

diff --git a/playbooks/ci/run.yaml b/playbooks/ci/run.yaml
index 100a14185..911734193 100644
--- a/playbooks/ci/run.yaml
+++ b/playbooks/ci/run.yaml
@@ -17,3 +17,4 @@
         NOAUTH_MODE: "{{ noauth_mode | default(false) | bool | lower }}"
         ENABLE_TLS: "{{ enable_tls | default(false) | bool | lower }}"
         ENABLE_PROMETHEUS_EXPORTER: "{{ enable_prometheus_exporter | default(false) | bool | lower }}"
+        USE_VMEDIA: "{{ use_vmedia | default(false) | bool | lower }}"
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
index 0fc79a519..3870be8d2 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@@ -96,6 +96,8 @@ ipa_ramdisk_upstream_checksum_algo: "sha256"
 ipa_ramdisk_upstream_checksum_url: "{{ ipa_ramdisk_upstream_url }}.{{ ipa_ramdisk_upstream_checksum_algo }}"
 deploy_image_filename: "deployment_image.qcow2"
 deploy_image: "{{http_boot_folder}}/{{deploy_image_filename}}"
+esp_image: "{{ http_boot_folder }}/esp.img"
+esp_image_url: "{{ ipa_file_protocol }}://{{ internal_ip }}:{{ file_url_port }}/esp.img"
 # Use cirros instead of building an image via diskimage-builder
 use_cirros: false
 # Download IPA by default
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_CentOS.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_CentOS.yml
new file mode 100644
index 000000000..d2edf2546
--- /dev/null
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_CentOS.yml
@@ -0,0 +1,3 @@
+---
+efi_distro: centos
+grub_efi_binary: /boot/efi/EFI/centos/grubx64.efi
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml
index be1e74478..39854b36f 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml
@@ -6,6 +6,9 @@ ironic_rootwrap_dir: /usr/local/bin/
 nginx_user: www-data
 mysql_service_name: mysql
 tftp_service_name: tftpd-hpa
+efi_distro: debian
+grub_efi_binary: /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
+shim_efi_binary: /usr/lib/shim/shimx64.efi.signed
 required_packages:
   - mariadb-server
   - python-dev
@@ -35,6 +38,8 @@ required_packages:
   - dnsmasq
   - apache2-utils
   - isolinux
+  - grub-efi-amd64-signed
+  - shim-signed
 # NOTE(TheJulia): The above entry for dnsmasq must be the last entry in the
 # package list as the installation causes name resolution changes that can
 # temporarily block packages following it while the system is being
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml
index 298fb41bc..e638bc44e 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml
@@ -6,11 +6,14 @@ ironic_rootwrap_dir: /usr/bin/
 nginx_user: nginx
 mysql_service_name: mariadb
 tftp_service_name: tftp
+efi_distro: fedora
+grub_efi_binary: /boot/efi/EFI/fedora/grubx64.efi
 required_packages:
   - dnsmasq
   - firewalld
   - gcc
   - genisoimage
+  - grub2-efi-x64
   - httpd-tools
   - ipmitool
   - ipxe-bootimgs
@@ -31,6 +34,7 @@ required_packages:
   - python3-PyMySQL
   - qemu-img
   - qemu-kvm
+  - shim-x64
   - socat
   - syslinux-nonlinux
   - tftp-server
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat.yml
new file mode 100644
index 000000000..b34222981
--- /dev/null
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat.yml
@@ -0,0 +1,3 @@
+---
+efi_distro: rhel
+grub_efi_binary: /boot/efi/EFI/rhel/grubx64.efi
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
index 2a1d65f1b..ff07fd277 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
@@ -7,6 +7,7 @@ ironic_rootwrap_dir: /usr/bin/
 nginx_user: nginx
 mysql_service_name: mariadb
 tftp_service_name: tftp
+shim_efi_binary: /boot/efi/EFI/BOOT/BOOTX64.EFI
 required_packages:
   - mariadb-server
   - dnsmasq
@@ -38,6 +39,8 @@ required_packages:
   - python3-firewall
   - httpd-tools
   - syslinux-nonlinux
+  - grub2-efi-x64
+  - shim-x64
 iscsi_required_packages:
   - iscsi-initiator-utils
   - gdisk
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml
index 2c601ba65..73755700a 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml
@@ -7,6 +7,11 @@ ironic_rootwrap_dir: /usr/bin/
 nginx_user: nginx
 mysql_service_name: mysql
 tftp_service_name: tftp
+# FIXME(dtantsur): this may be incorrect, but I cannot figure out the correct
+# path from just looking at various sources.
+efi_distro: BOOT
+grub_efi_binary: /usr/share/efi/x86_64/grub.efi
+shim_efi_binary: /usr/share/efi/x86_64/shim.efi
 required_packages:
   - python-selinux
   - mariadb-server
@@ -40,6 +45,8 @@ required_packages:
   - python-PyMySQL
   - apache2-utils
   - syslinux
+  - grub2-x86_64-efi
+  - shim
 iscsi_required_packages:
   - open-iscsi
   - gptfdisk
diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml
index 31e8212b0..f30718650 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml
@@ -1,5 +1,6 @@
 ---
 init_dest_dir: /lib/systemd/system/
+efi_distro: ubuntu
 required_packages:
   - mariadb-server
   - python3-dev
@@ -29,6 +30,8 @@ required_packages:
   - dnsmasq
   - apache2-utils
   - isolinux
+  - grub-efi-amd64-signed
+  - shim-signed
 # NOTE(TheJulia): The above entry for dnsmasq must be the last entry in the
 # package list as the installation causes name resolution changes that can
 # temporarily block packages following it while the system is being
diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
index db98889ac..d1729cc9d 100644
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@@ -222,7 +222,11 @@
       args: '--config-file /etc/ironic/ironic.conf'
 
 - name: "Create and populate /tftpboot"
-  include: create_tftpboot.yml
+  import_tasks: create_tftpboot.yml
+
+- name: "Create an ESP image"
+  import_tasks: create_esp.yml
+
 - name: "Setup Inventory Hosts Directory"
   file:
     path: "/etc/dnsmasq.d/bifrost.hosts.d"
diff --git a/playbooks/roles/bifrost-ironic-install/tasks/create_esp.yml b/playbooks/roles/bifrost-ironic-install/tasks/create_esp.yml
new file mode 100644
index 000000000..2407ee03c
--- /dev/null
+++ b/playbooks/roles/bifrost-ironic-install/tasks/create_esp.yml
@@ -0,0 +1,55 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Create a temporary directory for mounting ESP"
+  tempfile:
+    state: directory
+  register: esp_temp_dir
+
+- name: "Create an empty ESP image"
+  command: dd if=/dev/zero of={{ esp_image }} bs=4096 count=1024
+
+- name: "Initialize ESP filesystem"
+  command: mkfs.fat -s 4 -r 512 -S 4096 {{ esp_image }}
+
+- name: "Mount ESP filesystem"
+  command: mount {{ esp_image }} {{ esp_temp_dir.path }}  # noqa 303
+
+- block:
+    - name: "Create ESP boot directory"
+      file:
+        path: "{{ esp_temp_dir.path }}/EFI/BOOT"
+        state: directory
+
+    - name: "Copy the shim image to ESP"
+      copy:
+        src: "{{ shim_efi_binary }}"
+        remote_src: true
+        dest: "{{ esp_temp_dir.path }}/EFI/BOOT/BOOTX64.efi"
+
+    - name: "Copy the grub2 image to ESP"
+      copy:
+        src: "{{ grub_efi_binary }}"
+        remote_src: true
+        dest: "{{ esp_temp_dir.path }}/EFI/BOOT/GRUBX64.efi"
+
+  always:
+    - name: "Unmount ESP filesystem"
+      command: umount {{ esp_temp_dir.path }}
+
+- name: "Ensure ESP image is readable"
+  file:
+    path: "{{ esp_image }}"
+    owner: ironic
+    group: ironic
+    mode: 0644
diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
index 17c88b96b..80f52528f 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
@@ -19,6 +19,10 @@ enabled_deploy_interfaces = {{ enabled_deploy_interfaces }}
 
 enabled_hardware_types = {{ enabled_hardware_types }}
 
+{% if default_boot_interface is defined %}
+default_boot_interface = {{ default_boot_interface }}
+{% endif %}
+
 default_resource_class = {{ default_resource_class }}
 
 rpc_transport = json-rpc
@@ -38,6 +42,8 @@ log_dir = {{ ironic_log_dir }}
 
 isolinux_bin = {{ isolinux_bin_path }}
 
+grub_config_path = EFI/{{ efi_distro }}/grub.cfg
+
 {% if enable_tls | bool %}
 [api]
 enable_ssl_api = True
@@ -92,6 +98,7 @@ deploy_kernel = {{ ipa_kernel_url }}
 deploy_ramdisk = {{ ipa_ramdisk_url }}
 rescue_kernel = {{ ipa_kernel_url }}
 rescue_ramdisk = {{ ipa_ramdisk_url }}
+bootloader = {{ esp_image_url }}
 {% if enable_prometheus_exporter | bool %}
 send_sensor_data = true
 send_sensor_data_for_undeployed_nodes = {{ sensor_data_undeployed_nodes }}
diff --git a/releasenotes/notes/vmedia-uefi-ce34974eaacd571c.yaml b/releasenotes/notes/vmedia-uefi-ce34974eaacd571c.yaml
new file mode 100644
index 000000000..aca21330d
--- /dev/null
+++ b/releasenotes/notes/vmedia-uefi-ce34974eaacd571c.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds support for Redfish virtual media in UEFI mode.
diff --git a/scripts/test-bifrost.sh b/scripts/test-bifrost.sh
index 0bc1c8a1c..d3b62642c 100755
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@@ -15,6 +15,7 @@ CLI_TEST=${CLI_TEST:-false}
 BOOT_MODE=${BOOT_MODE:-}
 ENABLE_TLS=${ENABLE_TLS:-false}
 ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false}
+USE_VMEDIA=${USE_VMEDIA:-false}
 
 # Set defaults for ansible command-line options to drive the different
 # tests.
@@ -107,6 +108,13 @@ if [[ -n "$BOOT_MODE" ]]; then
     VM_SETUP_EXTRA+=" -e default_boot_mode=$BOOT_MODE"
 fi
 
+if [ ${USE_VMEDIA} = "true" ]; then
+    TEST_VM_NODE_DRIVER=redfish
+    CLOUD_CONFIG+=" -e default_boot_interface=redfish-virtual-media"
+    # The default won't work for other hardware types
+    CLOUD_CONFIG+=" -e enabled_hardware_types=redfish"
+fi
+
 logs_on_exit() {
     $SCRIPT_HOME/collect-test-info.sh
 }
diff --git a/zuul.d/bifrost-jobs.yaml b/zuul.d/bifrost-jobs.yaml
index aa4d9ad47..455458eb2 100644
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@@ -109,6 +109,14 @@
       test_driver: redfish
       enable_prometheus_exporter: true
 
+- job:
+    name: bifrost-integration-redfish-vmedia-uefi-ubuntu-focal
+    parent: bifrost-integration-tinyipa-ubuntu-focal
+    vars:
+      boot_mode: uefi
+      test_driver: redfish
+      use_vmedia: true
+
 - job:
     name: bifrost-cli-ubuntu-focal
     parent: bifrost-integration-tinyipa-ubuntu-focal
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 34e639825..f3af3a4f6 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -12,6 +12,7 @@
         - bifrost-integration-tinyipa-centos-8
         - bifrost-integration-tinyipa-keystone-ubuntu-focal
         - bifrost-integration-tinyipa-keystone-centos-8
+        - bifrost-integration-redfish-vmedia-uefi-ubuntu-focal
         # Non-voting jobs
         - bifrost-integration-tinyipa-ubuntu-bionic:
             voting: false