Merge "Configure the new inspection implementation"

doc/source/user/architecture.rst

@@ -17,7 +17,8 @@ ironic-inspector_
     Inspector is an auxiliary service that provides `in-band inspection`_.
     Its `introspection API`_ is served on TCP port 5050.
 
-    Inspector can be disabled by setting ``enable_inspector=false``.
+    Inspector can be disabled by setting ``enable_inspector=false``. In this
+    case, Ironic's `native in-band inspection`_ will be used.
 
 mariadb_
     MariaDB is used as a database to persistently store information.
@@ -194,8 +195,9 @@ Runtime locations
 .. _ironic: https://docs.openstack.org/ironic/latest/
 .. _bare metal API: https://docs.openstack.org/api-ref/baremetal/
 .. _ironic-inspector: https://docs.openstack.org/ironic-inspector/latest/
-.. _in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection.html#in-band-inspection
+.. _in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection/inspector.html
 .. _introspection API: https://docs.openstack.org/api-ref/baremetal-introspection/
+.. _native in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection/index.html
 .. _mariadb: https://mariadb.org/
 .. _nginx: https://nginx.org/
 .. _dnsmasq: https://dnsmasq.org/

playbooks/ci/run.yaml

@@ -23,3 +23,4 @@
         ENABLE_TLS: "{{ enable_tls | default(false) | bool | lower }}"
         ENABLE_PROMETHEUS_EXPORTER: "{{ enable_prometheus_exporter | default(false) | bool | lower }}"
         USE_VMEDIA: "{{ use_vmedia | default(false) | bool | lower }}"
+        USE_INSPECTOR: "{{ use_inspector | default(true) | bool | lower }}"

playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml

@@ -201,4 +201,10 @@
     owner: ironic
     group: ironic
     mode: "0644"
-  when: enable_inspector | bool
+  vars:
+    inspection_callback_url: >-
+      {% if enable_inspector | bool %}
+      {{ api_protocol }}://{{ internal_ip }}:5050/v1/continue
+      {% else %}
+      {{ api_protocol }}://{{ internal_ip }}:6385/v1/continue_inspection
+      {% endif %}

playbooks/roles/bifrost-ironic-install/tasks/inspector_start.yml

@@ -18,3 +18,18 @@
     name: ironic-inspector
     state: restarted
     enabled: yes
+  when: enable_inspector | bool
+
+- name: "Stop inspector if it is disabled"
+  service:
+    name: ironic-inspector
+    state: stopped
+    enabled: no
+  ignore_errors: true
+  when: not enable_inspector | bool
+
+- name: "Remove inspector if it is disabled"
+  file:
+    path: "{{ init_dest_dir }}ironic-inspector.service"
+    state: absent
+  when: not enable_inspector | bool

playbooks/roles/bifrost-ironic-install/tasks/start.yml

@@ -31,9 +31,8 @@
     state: started
     enabled: yes
 
-- name: "Start ironic-inspector"
+- name: "Start/stop ironic-inspector"
   include_tasks: inspector_start.yml
-  when: enable_inspector | bool
 
 - name: "Stop old ironic services"
   service:

playbooks/roles/bifrost-ironic-install/templates/inspector-default-boot-ipxe.j2

@@ -5,6 +5,6 @@ dhcp || reboot
 goto introspect
 
 :introspect
-kernel {{ ipa_kernel_url }} ipa-inspection-callback-url={{ api_protocol }}://{{ internal_ip }}:5050/v1/continue {% if fast_track | bool %}ipa-api-url={{ api_protocol }}://{{ internal_ip }}:6385{% endif %} systemd.journald.forward_to_console=yes BOOTIF=${mac} nofb nomodeset vga=normal {% if testing | bool %}console=ttyS0{% endif %} {{ inspector_extra_kernel_options | default('') }} ipa-insecure=1 {% if inspector_debug | bool %}ipa-debug=1{% endif %} initrd={{ ipa_ramdisk_url | basename }}
+kernel {{ ipa_kernel_url }} ipa-inspection-callback-url={{ inspection_callback_url }} {% if fast_track | bool %}ipa-api-url={{ api_protocol }}://{{ internal_ip }}:6385{% endif %} systemd.journald.forward_to_console=yes BOOTIF=${mac} nofb nomodeset vga=normal {% if testing | bool %}console=ttyS0{% endif %} {{ inspector_extra_kernel_options | default('') }} ipa-insecure=1 {% if inspector_debug | bool %}ipa-debug=1{% endif %} initrd={{ ipa_ramdisk_url | basename }}
 initrd {{ ipa_ramdisk_url }}
 boot

playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2

@@ -8,8 +8,11 @@ debug = {{ ironic_debug | bool }}
 enabled_network_interfaces = noop
 default_deploy_interface = {{ default_deploy_interface }}
 {% if enable_inspector | bool == true %}
-enabled_inspect_interfaces = no-inspect,inspector
+enabled_inspect_interfaces = no-inspect,inspector,agent
 default_inspect_interface = inspector
+{% else %}
+enabled_inspect_interfaces = no-inspect,agent
+default_inspect_interface = agent
 {% endif %}
 enabled_bios_interfaces = {{ enabled_bios_interfaces }}
 enabled_boot_interfaces = {{ enabled_boot_interfaces }}
@@ -147,11 +150,13 @@ kernel_append_params = {{ ilo_kernel_params }}
 use_swift = False
 kernel_append_params = {{ redfish_kernel_params }}
 
-{% if enable_inspector | bool == true %}
 [inspector]
 power_off = {{ power_off_after_inspection }}
 extra_kernel_params = {{ inspector_extra_kernel_options | default('') }}
 require_managed_boot = False
+add_ports = {{ inspector_port_addition | default('pxe') }}
+keep_ports = {{ inspector_keep_ports | default('present') }}
+{% if enable_inspector | bool %}
 {% if enable_keystone | bool %}
 auth_type = password
 auth_url = {{ ironic.service_catalog.auth_url }}

playbooks/roles/bifrost-test-inspection/tasks/main.yml

@@ -13,12 +13,11 @@
 # limitations under the License.
 ---
 - name: Check node hardware inspection data
-  command: "baremetal introspection data save {{ uuid }}"
+  command: "baremetal node inventory save {{ uuid }}"
   register: inspection_data
   environment:
     OS_CLOUD: bifrost
 
-# TODO(mgoddard): More validation of data format and contents.
 - name: Validate the inspection data format
   assert:
     that:

releasenotes/notes/new-inspection-441b578de2206415.yaml

@@ -0,0 +1,18 @@
+---
+features:
+  - |
+    When ``enable_inspector`` is set to ``false`` (the default is ``true``),
+    the new built-in inspection implementation is now configured. Note that
+
+    * The new implementation has not at the moment of writing achieved a
+      complete feature parity with ironic-inspector: see
+      https://docs.openstack.org/ironic/latest/admin/inspection/index.html
+      for the available features.
+
+    * Whether inspection actually runs is not defined by this parameter but
+      rather by ``inspect_nodes`` (or the ``--inspect`` argument to
+      ``./bifrost-cli enroll``).
+upgrade:
+  - |
+    If ironic-inspector support is disabled via ``enable_inspector`` set to
+    ``false``, the service will be stopped and removed on upgrade.

scripts/test-bifrost.sh

@@ -35,7 +35,7 @@ TEST_VM_NUM_NODES=1
 DOWNLOAD_CUSTOM_DEPLOY_IMAGE=true
 TESTING_USER=cirros
 TEST_PLAYBOOK="test-bifrost.yaml"
-USE_INSPECTOR=true
+USE_INSPECTOR=${USE_INSPECTOR:-true}
 INSPECT_NODES=true
 INVENTORY_DHCP=false
 INVENTORY_DHCP_STATIC_IP=false

zuul.d/bifrost-jobs.yaml

@@ -119,6 +119,12 @@
       test_driver: redfish
       enable_prometheus_exporter: true
 
+- job:
+    name: bifrost-integration-noinspector-ubuntu-jammy
+    parent: bifrost-integration-tinyipa-ubuntu-jammy
+    vars:
+      use_inspector: false
+
 - job:
     name: bifrost-integration-redfish-vmedia-uefi-ubuntu-jammy
     parent: bifrost-integration-tinyipa-ubuntu-jammy
@@ -164,6 +170,12 @@
       test_driver: redfish
       enable_prometheus_exporter: true
 
+- job:
+    name: bifrost-integration-noinspector-centos-9
+    parent: bifrost-integration-tinyipa-centos-9
+    vars:
+      use_inspector: false
+
 - job:
     name: bifrost-integration-tinyipa-debian-bullseye
     parent: bifrost-integration-tinyipa

zuul.d/project.yaml

@@ -16,6 +16,8 @@
         - bifrost-integration-redfish-vmedia-uefi-ubuntu-jammy
         - bifrost-integration-redfish-vmedia-uefi-centos-9
         - bifrost-integration-redfish-vmedia-uefi-debian-bookworm
+        - bifrost-integration-noinspector-centos-9
+        - bifrost-integration-noinspector-ubuntu-jammy
         - bifrost-upgrade-ubuntu-jammy
         - bifrost-upgrade-keystone-centos9
         # Non-voting jobs
@@ -64,6 +66,8 @@
         - bifrost-integration-redfish-vmedia-uefi-ubuntu-jammy
         - bifrost-integration-redfish-vmedia-uefi-centos-9
         - bifrost-integration-redfish-vmedia-uefi-debian-bookworm
+        - bifrost-integration-noinspector-centos-9
+        - bifrost-integration-noinspector-ubuntu-jammy
         - bifrost-upgrade-ubuntu-jammy
         - bifrost-upgrade-keystone-centos9
     experimental: