PXE Driver substrate support

Previously support for PXE drivers was incomplete as the underlying iSCSI client and sudoers configuration was not present which prevented ironic from leverating the drivers unless the user put the substrate into place independently of bifrost. Updated installation and configuration steps to put support into place. Change-Id: If8de1042ad304d56f2c9a8d9ef6a3c5531c44081 Closes-Bug: #1525082
2015-12-19 21:01:05 -05:00 · 2015-12-19 21:01:05 -05:00 · 68a41a97d1
commit 68a41a97d1
parent 00e7ccb55c
7 changed files with 89 additions and 4 deletions
--- a/playbooks/roles/bifrost-ironic-install/README.md
+++ b/playbooks/roles/bifrost-ironic-install/README.md
@ -85,6 +85,13 @@ When testing, the default ironic conductor driver is "agent_ssh". When
 testing mode has not been engaged, drivers can be set via the enabled_drivers
 variable which defaults to: "agent_ipmitool,pxe_amt,agent_ilo,agent_ucs"

+By default, PXE driver baseline support, in terms of installation of the
+iSCSI client and configuration of sudoers and rootwrap configuration is
+enabled. If you wish to disable this functionality, set ``pxe_drivers``
+to a value of ``false``.
+
+pxe_drivers: false
+
 In the event of an external DHCP server being used, the user will need to
 configure their DHCP server such that PXE, and iPXE chain loading occurs.
 For additional information for setting up DHCP in this scenario refer to
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -89,3 +89,4 @@ inspector_port_addition: "pxe"

 # Note: inspector_keep_ports has three valid values: all, present, added
 inspector_keep_ports: "present"
+pxe_drivers: true
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml
@ -43,3 +43,4 @@ required_packages:
 # package list as the installation causes name resolution changes that can
 # temporarily block packages following it while the system is being
 # reconfigured. See: https://review.openstack.org/#/c/223813
+iscsi_client_package: "open-iscsi"
--- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml
@ -39,3 +39,4 @@ required_packages:
 # NOTE(cinerama): amtterm is not currently packaged for RHEL/CentOS 7.
  - libvirt-daemon
  - debootstrap
+iscsi_client_package: "iscsi-initiator-utils"
--- a/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml
@ -29,7 +29,7 @@
    dest=/etc/ironic/ironic.conf
    insertafter="[DEFAULT]"
    regexp='^(.*)enabled_drivers=(.*)$'
-    line="enabled_drivers=agent_ssh"
+    line="enabled_drivers=agent_ssh,pxe_ssh"
  when: testing | bool == true
 - name: "If not testing, set driver list"
  lineinfile:
@ -177,3 +177,9 @@
    regexp='(^#|^)enabled( |)=(.*)$'
    line="enabled = True"
  when: enable_inspector | bool
+- name: "Set sudoers for PXE driver support if enabled"
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^ironic(.*)/etc/ironic/rootwrap.conf(.*)'
+    line: "ironic ALL = (root) NOPASSWD: /usr/local/bin/ironic-rootwrap /etc/ironic/rootwrap.conf *"
+  when: pxe_drivers | bool == true
--- a/playbooks/roles/bifrost-ironic-install/tasks/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/main.yml
@ -64,6 +64,11 @@
    package=UcsSdk
    version=0.8.1.9
  when: skip_install is not defined and testing | bool != true
+- name: "Install iSCSI client if PXE driver support is enabled"
+  package:
+    name: "{{ iscsi_client_package }}"
+    state: present
+  when: skip_install is not defined and pxe_drivers | bool == true
 - name: "Shade - Install"
  include: pip_install.yml
    package=shade
@ -118,11 +123,39 @@
    source_install=true
  when: skip_install is not defined
 - name: "Create an ironic service group"
-  group: name=ironic
+  group:
+    name: "ironic"
 - name: "Create an ironic service user"
-  user: name=ironic group=ironic
+  user:
+    name: "ironic"
+    group: "ironic"
 - name: "Ensure /etc/ironic exists"
-  file: name=/etc/ironic state=directory owner=ironic group=ironic mode=0755
+  file:
+    name: "/etc/ironic"
+    state: directory
+    owner: "ironic"
+    group: "ironic"
+    mode: 0755
+# Note(TheJulia): The rootwrap copies will need to be re-tooled
+# to possibly directly retreive current files if a source install
+# is not utilized.
+- name: "Copy rootwrap.conf from ironic source folder"
+  copy:
+    src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.conf"
+    dest: "/etc/ironic/rootwrap.conf"
+    mode: 0644
+    owner: root
+    group: root
+  when: skip_install is not defined and pxe_drivers | bool == true
+- name: "Copy rootwrap.d contents from ironic source folder"
+  copy:
+    src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.d/"
+    dest: "/etc/ironic/rootwrap.d"
+    mode: 0644
+    owner: root
+    group: root
+    directory_mode: yes
+  when: skip_install is not defined and pxe_drivers | bool == true
 - name: "Generate ironic Configuration"
  include: ironic_config.yml
 - name: "Copy policy.json to /etc/ironic"
@ -169,6 +202,16 @@
 - name: "Get ironic-api & ironic-conductor install location"
  shell: echo $(dirname $(which ironic-api))
  register: ironic_install_prefix
+- name: "Set permissions for /var/lib/ironic for the ironic user"
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "ironic"
+    group: "ironic"
+  with_items:
+    - "/var/lib/ironic"
+    - "/var/lib/ironic/images"
 - name: "Place ironic services"
  template: src={{ init_template }} dest={{ init_dest_dir }}{{item.service_name}}{{ init_ext }} owner=root group=root
  with_items:
--- a/releasenotes/notes/pxe-driver-support-e2d8a769bf910dbc.yaml
+++ b/releasenotes/notes/pxe-driver-support-e2d8a769bf910dbc.yaml
@ -0,0 +1,26 @@
+---
+features:
+  - Support for PXE driver substrate is now installed
+    which utilizes iSCSI to write the disk image to the
+    target node. By default, this support is enabled.
+upgrade:
+  - PXE driver substrate support is now enabled by default.
+    If a user wishes to prevent this, the ``pxe_drivers``
+    setting should be set to ``false``.
+security:
+  - PXE driver support substrate has been added, however
+    this requires the ability for the conductor to connect
+    to the node being provisioned via iSCSI. As a result
+    sudoers configuration is updated by default to enable
+    ironic to initiate the iSCSI connection and apply
+    the image to the remote disk. As a reminder, users
+    should default to using agent drivers as cleaning
+    support does not exist in the PXE drivers.
+fixes:
+  - PXE driver support substrate was previously incomplete
+    and has been revised to properly support PXE drivers.
+    This has been tested on Ubuntu 14.04 LTS.
+issues:
+  - Basic testing has revealed that PXE drivers may not
+    result in the configurtion drive being written out
+    with the current configuration of bifrost.