Hardware introspection daemon for OpenStack Ironic
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

570 lines
25 KiB

  1. #!/usr/bin/env bash
  2. IRONIC_INSPECTOR_DEBUG=${IRONIC_INSPECTOR_DEBUG:-True}
  3. IRONIC_INSPECTOR_DIR=$DEST/ironic-inspector
  4. IRONIC_INSPECTOR_DATA_DIR=$DATA_DIR/ironic-inspector
  5. IRONIC_INSPECTOR_BIN_DIR=$(get_python_exec_prefix)
  6. IRONIC_INSPECTOR_BIN_FILE=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector
  7. IRONIC_INSPECTOR_BIN_FILE_API=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector-api-wsgi
  8. IRONIC_INSPECTOR_BIN_FILE_CONDUCTOR=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector-conductor
  9. IRONIC_INSPECTOR_DBSYNC_BIN_FILE=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector-dbsync
  10. IRONIC_INSPECTOR_CONF_DIR=${IRONIC_INSPECTOR_CONF_DIR:-/etc/ironic-inspector}
  11. IRONIC_INSPECTOR_CONF_FILE=$IRONIC_INSPECTOR_CONF_DIR/inspector.conf
  12. IRONIC_INSPECTOR_CMD="$IRONIC_INSPECTOR_BIN_FILE --config-file $IRONIC_INSPECTOR_CONF_FILE"
  13. IRONIC_INSPECTOR_CMD_CONDUCTOR="$IRONIC_INSPECTOR_BIN_FILE_CONDUCTOR --config-file $IRONIC_INSPECTOR_CONF_FILE"
  14. IRONIC_INSPECTOR_DHCP_CONF_FILE=$IRONIC_INSPECTOR_CONF_DIR/dnsmasq.conf
  15. IRONIC_INSPECTOR_ROOTWRAP_CONF_FILE=$IRONIC_INSPECTOR_CONF_DIR/rootwrap.conf
  16. IRONIC_INSPECTOR_ADMIN_USER=${IRONIC_INSPECTOR_ADMIN_USER:-ironic-inspector}
  17. IRONIC_INSPECTOR_AUTH_CACHE_DIR=${IRONIC_INSPECTOR_AUTH_CACHE_DIR:-/var/cache/ironic-inspector}
  18. IRONIC_INSPECTOR_DHCP_FILTER=${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}
  19. IRONIC_INSPECTOR_STANDALONE=${IRONIC_INSPECTOR_STANDALONE:-True}
  20. # Support entry points installation of console scripts
  21. IRONIC_INSPECTOR_UWSGI=$IRONIC_INSPECTOR_BIN_DIR/ironic-inspector-api-wsgi
  22. IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.ini
  23. if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then
  24. echo "IRONIC_INSPECTOR_MANAGE_FIREWALL is deprecated." >&2
  25. echo "Please, use IRONIC_INSPECTOR_DHCP_FILTER == noop/iptables/dnsmasq instead." >&2
  26. if [[ "$IRONIC_INSPECTOR_DHCP_FILTER" != "iptables" ]] ; then
  27. # both manage firewall and filter driver set together but driver isn't iptables
  28. echo "Inconsistent configuration: IRONIC_INSPECTOR_MANAGE_FIREWALL used while" >&2
  29. echo "IRONIC_INSPECTOR_DHCP_FILTER == $IRONIC_INSPECTOR_DHCP_FILTER" >&2
  30. exit 1
  31. fi
  32. if [[ $(trueorfalse True IRONIC_INSPECTOR_MANAGE_FIREWALL) == "False" ]] ; then
  33. echo "IRONIC_INSPECTOR_MANAGE_FIREWALL == False" >&2
  34. echo "Setting IRONIC_INSPECTOR_DHCP_FILTER=noop" >&2
  35. IRONIC_INSPECTOR_DHCP_FILTER=noop
  36. fi
  37. fi
  38. # dnsmasq dhcp filter configuration
  39. # override the default hostsdir so devstack collects the MAC files (/etc)
  40. IRONIC_INSPECTOR_DHCP_HOSTSDIR=${IRONIC_INSPECTOR_DHCP_HOSTSDIR:-/etc/ironic-inspector/dhcp-hostsdir}
  41. IRONIC_INSPECTOR_DNSMASQ_STOP_COMMAND=${IRONIC_INSPECTOR_DNSMASQ_STOP_COMMAND:-systemctl stop devstack@ironic-inspector-dhcp}
  42. IRONIC_INSPECTOR_DNSMASQ_START_COMMAND=${IRONIC_INSPECTOR_DNSMASQ_START_COMMAND:-systemctl start devstack@ironic-inspector-dhcp}
  43. IRONIC_INSPECTOR_HOST=$SERVICE_HOST
  44. IRONIC_INSPECTOR_PORT=5050
  45. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  46. IRONIC_INSPECTOR_URI="http://$IRONIC_INSPECTOR_HOST/baremetal-introspection"
  47. else
  48. IRONIC_INSPECTOR_URI="http://$IRONIC_INSPECTOR_HOST:$IRONIC_INSPECTOR_PORT"
  49. fi
  50. IRONIC_INSPECTOR_BUILD_RAMDISK=$(trueorfalse False IRONIC_INSPECTOR_BUILD_RAMDISK)
  51. IRONIC_RAMDISK_BRANCH=${IRONIC_RAMDISK_BRANCH:-${ZUUL_BRANCH:-master}}
  52. IRONIC_AGENT_KERNEL_URL=${IRONIC_AGENT_KERNEL_URL:-http://tarballs.openstack.org/ironic-python-agent-builder/dib/files/ipa-centos8-$IRONIC_RAMDISK_BRANCH.kernel}
  53. IRONIC_AGENT_RAMDISK_URL=${IRONIC_AGENT_RAMDISK_URL:-http://tarballs.openstack.org/ironic-python-agent-builder/dib/files/ipa-centos8-$IRONIC_RAMDISK_BRANCH.initramfs}
  54. IRONIC_INSPECTOR_COLLECTORS=${IRONIC_INSPECTOR_COLLECTORS:-default,logs,pci-devices}
  55. IRONIC_INSPECTOR_RAMDISK_LOGDIR=${IRONIC_INSPECTOR_RAMDISK_LOGDIR:-$IRONIC_INSPECTOR_DATA_DIR/ramdisk-logs}
  56. IRONIC_INSPECTOR_ALWAYS_STORE_RAMDISK_LOGS=${IRONIC_INSPECTOR_ALWAYS_STORE_RAMDISK_LOGS:-True}
  57. IRONIC_INSPECTOR_TIMEOUT=${IRONIC_INSPECTOR_TIMEOUT:-600}
  58. IRONIC_INSPECTOR_CLEAN_UP_PERIOD=${IRONIC_INSPECTOR_CLEAN_UP_PERIOD:-}
  59. # These should not overlap with other ranges/networks
  60. IRONIC_INSPECTOR_INTERNAL_IP=${IRONIC_INSPECTOR_INTERNAL_IP:-172.24.42.254}
  61. IRONIC_INSPECTOR_INTERNAL_SUBNET_SIZE=${IRONIC_INSPECTOR_INTERNAL_SUBNET_SIZE:-24}
  62. IRONIC_INSPECTOR_DHCP_RANGE=${IRONIC_INSPECTOR_DHCP_RANGE:-172.24.42.100,172.24.42.253}
  63. IRONIC_INSPECTOR_INTERFACE=${IRONIC_INSPECTOR_INTERFACE:-br-inspector}
  64. IRONIC_INSPECTOR_INTERFACE_PHYSICAL=$(trueorfalse False IRONIC_INSPECTOR_INTERFACE_PHYSICAL)
  65. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  66. IRONIC_INSPECTOR_INTERNAL_URI="http://$IRONIC_INSPECTOR_INTERNAL_IP/baremetal-introspection"
  67. else
  68. IRONIC_INSPECTOR_INTERNAL_URI="http://$IRONIC_INSPECTOR_INTERNAL_IP:$IRONIC_INSPECTOR_PORT"
  69. fi
  70. IRONIC_INSPECTOR_INTERNAL_IP_WITH_NET="$IRONIC_INSPECTOR_INTERNAL_IP/$IRONIC_INSPECTOR_INTERNAL_SUBNET_SIZE"
  71. # Whether DevStack will be setup for bare metal or VMs
  72. IRONIC_IS_HARDWARE=$(trueorfalse False IRONIC_IS_HARDWARE)
  73. IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK=${IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK:-""}
  74. IRONIC_INSPECTOR_OVS_PORT=${IRONIC_INSPECTOR_OVS_PORT:-brbm-inspector}
  75. IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE=${IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE:-""}
  76. IRONIC_INSPECTOR_POWER_OFF=${IRONIC_INSPECTOR_POWER_OFF:-True}
  77. IRONIC_INSPECTOR_MANAGED_BOOT=$(trueorfalse False IRONIC_INSPECTOR_MANAGED_BOOT)
  78. IRONIC_INSPECTION_NET_NAME=${IRONIC_INSPECTION_NET_NAME:-$IRONIC_CLEAN_NET_NAME}
  79. if is_service_enabled swift; then
  80. DEFAULT_DATA_STORE=swift
  81. else
  82. DEFAULT_DATA_STORE=database
  83. fi
  84. IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE=${IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE:-$DEFAULT_DATA_STORE}
  85. GITDIR["python-ironic-inspector-client"]=$DEST/python-ironic-inspector-client
  86. GITREPO["python-ironic-inspector-client"]=${IRONIC_INSPECTOR_CLIENT_REPO:-${GIT_BASE}/openstack/python-ironic-inspector-client.git}
  87. GITBRANCH["python-ironic-inspector-client"]=${IRONIC_INSPECTOR_CLIENT_BRANCH:-master}
  88. # This is defined in ironic's devstack plugin. Redefine it just in case, and
  89. # insert "inspector" if it's missing.
  90. IRONIC_ENABLED_INSPECT_INTERFACES=${IRONIC_ENABLED_INSPECT_INTERFACES:-"inspector,no-inspect,fake"}
  91. if [[ "$IRONIC_ENABLED_INSPECT_INTERFACES" != *inspector* ]]; then
  92. IRONIC_ENABLED_INSPECT_INTERFACES="inspector,$IRONIC_ENABLED_INSPECT_INTERFACES"
  93. fi
  94. # Ironic Inspector tempest variables
  95. IRONIC_INSPECTOR_TEMPEST_DISCOVERY_TIMEOUT=${IRONIC_INSPECTOR_TEMPEST_DISCOVERY_TIMEOUT:-}
  96. IRONIC_INSPECTOR_TEMPEST_INTROSPECTION_TIMEOUT=${IRONIC_INSPECTOR_TEMPEST_INTROSPECTION_TIMEOUT:-}
  97. ### Utilities
  98. function mkdir_chown_stack {
  99. if [[ ! -d "$1" ]]; then
  100. sudo mkdir -p "$1"
  101. fi
  102. sudo chown $STACK_USER "$1"
  103. }
  104. function inspector_iniset {
  105. local section=$1
  106. local option=$2
  107. shift 2
  108. # value in iniset is at $4; wrapping in quotes
  109. iniset "$IRONIC_INSPECTOR_CONF_FILE" $section $option "$*"
  110. }
  111. ### Install-start-stop
  112. function install_inspector {
  113. setup_develop $IRONIC_INSPECTOR_DIR
  114. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  115. install_apache_wsgi
  116. # NOTE(rpittau) since devstack doesn't install test-requirements
  117. # anymore we need to install dependencies for drivers before
  118. # starting inspector services
  119. pip_install_gr pymemcache
  120. fi
  121. }
  122. function install_inspector_dhcp {
  123. install_package dnsmasq
  124. }
  125. function install_inspector_client {
  126. if use_library_from_git python-ironic-inspector-client; then
  127. git_clone_by_name python-ironic-inspector-client
  128. setup_dev_lib python-ironic-inspector-client
  129. else
  130. pip_install_gr python-ironic-inspector-client
  131. fi
  132. }
  133. function start_inspector {
  134. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "True" ]]; then
  135. run_process ironic-inspector "$IRONIC_INSPECTOR_CMD"
  136. else
  137. run_process ironic-inspector-api "$IRONIC_INSPECTOR_BIN_DIR/uwsgi --procname-prefix ironic-inspector-api --ini $IRONIC_INSPECTOR_UWSGI_CONF --pyargv \"--config-file $IRONIC_INSPECTOR_CONF_FILE\""
  138. run_process ironic-inspector-conductor "$IRONIC_INSPECTOR_CMD_CONDUCTOR"
  139. fi
  140. echo "Waiting for ironic-inspector API to start..."
  141. if ! timeout $SERVICE_TIMEOUT sh -c "while ! wget --no-proxy -q -O- $IRONIC_INSPECTOR_URI; do sleep 1; done"; then
  142. die $LINENO "ironic-inspector API did not start"
  143. fi
  144. }
  145. function is_inspector_dhcp_required {
  146. [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]] || \
  147. [[ "${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}" != "noop" ]] && \
  148. [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "False" ]]
  149. }
  150. function start_inspector_dhcp {
  151. # NOTE(dtantsur): USE_SYSTEMD requires an absolute path
  152. run_process ironic-inspector-dhcp \
  153. "$(which dnsmasq) --conf-file=$IRONIC_INSPECTOR_DHCP_CONF_FILE" \
  154. "" root
  155. }
  156. function stop_inspector {
  157. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "True" ]]; then
  158. stop_process ironic-inspector
  159. else
  160. stop_process ironic-inspector-api
  161. stop_process ironic-inspector-conductor
  162. fi
  163. }
  164. function stop_inspector_dhcp {
  165. stop_process ironic-inspector-dhcp
  166. }
  167. ### Configuration
  168. function prepare_tftp {
  169. IRONIC_INSPECTOR_IMAGE_PATH="$TOP_DIR/files/ironic-inspector"
  170. IRONIC_INSPECTOR_KERNEL_PATH="$IRONIC_INSPECTOR_IMAGE_PATH.kernel"
  171. IRONIC_INSPECTOR_INITRAMFS_PATH="$IRONIC_INSPECTOR_IMAGE_PATH.initramfs"
  172. IRONIC_INSPECTOR_CALLBACK_URI="$IRONIC_INSPECTOR_INTERNAL_URI/v1/continue"
  173. IRONIC_INSPECTOR_KERNEL_CMDLINE="$IRONIC_INSPECTOR_EXTRA_KERNEL_CMDLINE ipa-inspection-callback-url=$IRONIC_INSPECTOR_CALLBACK_URI"
  174. IRONIC_INSPECTOR_KERNEL_CMDLINE="$IRONIC_INSPECTOR_KERNEL_CMDLINE ipa-api-url=$SERVICE_PROTOCOL://$SERVICE_HOST/baremetal"
  175. IRONIC_INSPECTOR_KERNEL_CMDLINE="$IRONIC_INSPECTOR_KERNEL_CMDLINE ipa-insecure=1 systemd.journald.forward_to_console=yes"
  176. IRONIC_INSPECTOR_KERNEL_CMDLINE="$IRONIC_INSPECTOR_KERNEL_CMDLINE vga=normal console=tty0 console=ttyS0"
  177. IRONIC_INSPECTOR_KERNEL_CMDLINE="$IRONIC_INSPECTOR_KERNEL_CMDLINE ipa-inspection-collectors=$IRONIC_INSPECTOR_COLLECTORS"
  178. IRONIC_INSPECTOR_KERNEL_CMDLINE="$IRONIC_INSPECTOR_KERNEL_CMDLINE ipa-debug=1"
  179. if [[ "$IRONIC_INSPECTOR_BUILD_RAMDISK" == "True" ]]; then
  180. if [ ! -e "$IRONIC_INSPECTOR_KERNEL_PATH" -o ! -e "$IRONIC_INSPECTOR_INITRAMFS_PATH" ]; then
  181. build_ipa_ramdisk "$IRONIC_INSPECTOR_KERNEL_PATH" "$IRONIC_INSPECTOR_INITRAMFS_PATH"
  182. fi
  183. else
  184. # download the agent image tarball
  185. if [ ! -e "$IRONIC_INSPECTOR_KERNEL_PATH" -o ! -e "$IRONIC_INSPECTOR_INITRAMFS_PATH" ]; then
  186. if [ -e "$IRONIC_DEPLOY_KERNEL" -a -e "$IRONIC_DEPLOY_RAMDISK" ]; then
  187. cp $IRONIC_DEPLOY_KERNEL $IRONIC_INSPECTOR_KERNEL_PATH
  188. cp $IRONIC_DEPLOY_RAMDISK $IRONIC_INSPECTOR_INITRAMFS_PATH
  189. else
  190. wget "$IRONIC_AGENT_KERNEL_URL" -O $IRONIC_INSPECTOR_KERNEL_PATH
  191. wget "$IRONIC_AGENT_RAMDISK_URL" -O $IRONIC_INSPECTOR_INITRAMFS_PATH
  192. fi
  193. fi
  194. fi
  195. if [[ "$IRONIC_IPXE_ENABLED" == "True" ]] ; then
  196. cp $IRONIC_INSPECTOR_KERNEL_PATH $IRONIC_HTTP_DIR/ironic-inspector.kernel
  197. cp $IRONIC_INSPECTOR_INITRAMFS_PATH $IRONIC_HTTP_DIR
  198. cat > "$IRONIC_HTTP_DIR/ironic-inspector.ipxe" <<EOF
  199. #!ipxe
  200. dhcp
  201. kernel http://$IRONIC_HTTP_SERVER:$IRONIC_HTTP_PORT/ironic-inspector.kernel BOOTIF=\${mac} $IRONIC_INSPECTOR_KERNEL_CMDLINE
  202. initrd http://$IRONIC_HTTP_SERVER:$IRONIC_HTTP_PORT/ironic-inspector.initramfs
  203. boot
  204. EOF
  205. else
  206. mkdir_chown_stack "$IRONIC_TFTPBOOT_DIR/pxelinux.cfg"
  207. cp $IRONIC_INSPECTOR_KERNEL_PATH $IRONIC_TFTPBOOT_DIR/ironic-inspector.kernel
  208. cp $IRONIC_INSPECTOR_INITRAMFS_PATH $IRONIC_TFTPBOOT_DIR
  209. cat > "$IRONIC_TFTPBOOT_DIR/pxelinux.cfg/default" <<EOF
  210. default inspect
  211. label inspect
  212. kernel ironic-inspector.kernel
  213. append initrd=ironic-inspector.initramfs $IRONIC_INSPECTOR_KERNEL_CMDLINE
  214. ipappend 3
  215. EOF
  216. fi
  217. }
  218. function inspector_configure_auth_for {
  219. inspector_iniset $1 auth_type password
  220. inspector_iniset $1 auth_url "$KEYSTONE_SERVICE_URI"
  221. inspector_iniset $1 username $IRONIC_INSPECTOR_ADMIN_USER
  222. inspector_iniset $1 password $SERVICE_PASSWORD
  223. inspector_iniset $1 project_name $SERVICE_PROJECT_NAME
  224. inspector_iniset $1 user_domain_id default
  225. inspector_iniset $1 project_domain_id default
  226. inspector_iniset $1 cafile $SSL_BUNDLE_FILE
  227. inspector_iniset $1 region_name $REGION_NAME
  228. }
  229. function is_dnsmasq_filter_required {
  230. [[ "$IRONIC_INSPECTOR_DHCP_FILTER" == "dnsmasq" ]]
  231. }
  232. function configure_inspector_pxe_filter_dnsmasq {
  233. mkdir_chown_stack $IRONIC_INSPECTOR_DHCP_HOSTSDIR
  234. inspector_iniset pxe_filter driver dnsmasq
  235. inspector_iniset dnsmasq_pxe_filter dhcp_hostsdir $IRONIC_INSPECTOR_DHCP_HOSTSDIR
  236. inspector_iniset dnsmasq_pxe_filter dnsmasq_stop_command "$IRONIC_INSPECTOR_DNSMASQ_STOP_COMMAND"
  237. inspector_iniset dnsmasq_pxe_filter dnsmasq_start_command "$IRONIC_INSPECTOR_DNSMASQ_START_COMMAND"
  238. }
  239. function configure_dnsmasq_dhcp_hostsdir {
  240. sed -ie '/dhcp-hostsdir.*=/d' $IRONIC_INSPECTOR_DHCP_CONF_FILE
  241. echo "dhcp-hostsdir=$IRONIC_INSPECTOR_DHCP_HOSTSDIR" >> $IRONIC_INSPECTOR_DHCP_CONF_FILE
  242. }
  243. function _dnsmasq_rootwrap_ctl_tail {
  244. # cut off the command head and amend white-spaces with commas
  245. shift
  246. local bits=$*
  247. echo ${bits//\ /, }
  248. }
  249. function configure_inspector_dnsmasq_rootwrap {
  250. # turn the ctl commands into filter rules and dump the roorwrap file
  251. local stop_cmd=( $IRONIC_INSPECTOR_DNSMASQ_STOP_COMMAND )
  252. local start_cmd=( $IRONIC_INSPECTOR_DNSMASQ_START_COMMAND )
  253. local stop_cmd_tail=$( _dnsmasq_rootwrap_ctl_tail ${stop_cmd[@]} )
  254. local start_cmd_tail=$( _dnsmasq_rootwrap_ctl_tail ${start_cmd[@]} )
  255. cat > "$IRONIC_INSPECTOR_CONF_DIR/rootwrap.d/ironic-inspector-dnsmasq.filters" <<EOF
  256. [Filters]
  257. # ironic_inspector/pxe_filter/dnsmasq.py
  258. ${stop_cmd[0]}: CommandFilter, ${stop_cmd[0]}, root, ${stop_cmd_tail}
  259. ${start_cmd[0]}: CommandFilter, ${start_cmd[0]}, root, ${start_cmd_tail}
  260. EOF
  261. }
  262. function configure_inspector {
  263. mkdir_chown_stack "$IRONIC_INSPECTOR_CONF_DIR"
  264. mkdir_chown_stack "$IRONIC_INSPECTOR_DATA_DIR"
  265. create_service_user "$IRONIC_INSPECTOR_ADMIN_USER" "admin"
  266. # start with a fresh config file
  267. rm -f "$IRONIC_INSPECTOR_CONF_FILE"
  268. inspector_iniset DEFAULT debug $IRONIC_INSPECTOR_DEBUG
  269. inspector_iniset DEFAULT standalone $IRONIC_INSPECTOR_STANDALONE
  270. inspector_configure_auth_for ironic
  271. inspector_configure_auth_for service_catalog
  272. configure_auth_token_middleware $IRONIC_INSPECTOR_CONF_FILE $IRONIC_INSPECTOR_ADMIN_USER $IRONIC_INSPECTOR_AUTH_CACHE_DIR/api
  273. inspector_iniset DEFAULT listen_port $IRONIC_INSPECTOR_PORT
  274. inspector_iniset DEFAULT listen_address 0.0.0.0 # do not change
  275. inspector_iniset pxe_filter driver $IRONIC_INSPECTOR_DHCP_FILTER
  276. inspector_iniset iptables dnsmasq_interface $IRONIC_INSPECTOR_INTERFACE
  277. inspector_iniset database connection `database_connection_url ironic_inspector`
  278. if [[ -n "$IRONIC_INSPECTOR_PROCESSING_HOOKS" ]]; then
  279. inspector_iniset processing processing_hooks "\$default_processing_hooks,$IRONIC_INSPECTOR_PROCESSING_HOOKS"
  280. fi
  281. inspector_iniset processing power_off $IRONIC_INSPECTOR_POWER_OFF
  282. iniset_rpc_backend ironic-inspector $IRONIC_INSPECTOR_CONF_FILE
  283. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  284. # memcached listens localhost instead of $SERVICE_HOST, which is exactly the default value,
  285. # but set explicitly in case that changed.
  286. inspector_iniset coordination backend_url "memcached://localhost:11211"
  287. fi
  288. if is_service_enabled swift; then
  289. configure_inspector_swift
  290. fi
  291. inspector_iniset processing store_data $IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE
  292. iniset "$IRONIC_CONF_FILE" inspector enabled True
  293. iniset "$IRONIC_CONF_FILE" inspector service_url $IRONIC_INSPECTOR_URI
  294. if [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "True" ]]; then
  295. iniset "$IRONIC_CONF_FILE" neutron inspection_network $IRONIC_INSPECTION_NET_NAME
  296. iniset "$IRONIC_CONF_FILE" inspector require_managed_boot True
  297. iniset "$IRONIC_CONF_FILE" inspector extra_kernel_params \
  298. "ipa-inspection-collectors=\"$IRONIC_INSPECTOR_COLLECTORS\""
  299. # In this mode we do not have our own PXE environment, so do not accept
  300. # requests without manage_boot=False.
  301. inspector_iniset DEFAULT can_manage_boot False
  302. fi
  303. setup_logging $IRONIC_INSPECTOR_CONF_FILE DEFAULT
  304. # Adds uWSGI for inspector API
  305. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  306. write_uwsgi_config "$IRONIC_INSPECTOR_UWSGI_CONF" "$IRONIC_INSPECTOR_UWSGI" "/baremetal-introspection"
  307. fi
  308. cp "$IRONIC_INSPECTOR_DIR/rootwrap.conf" "$IRONIC_INSPECTOR_ROOTWRAP_CONF_FILE"
  309. cp -r "$IRONIC_INSPECTOR_DIR/rootwrap.d" "$IRONIC_INSPECTOR_CONF_DIR"
  310. local ironic_inspector_rootwrap=$(get_rootwrap_location ironic-inspector)
  311. local rootwrap_sudoer_cmd="$ironic_inspector_rootwrap $IRONIC_INSPECTOR_CONF_DIR/rootwrap.conf *"
  312. # Set up the rootwrap sudoers for ironic-inspector
  313. local tempfile=`mktemp`
  314. echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd" >$tempfile
  315. chmod 0640 $tempfile
  316. sudo chown root:root $tempfile
  317. sudo mv $tempfile /etc/sudoers.d/ironic-inspector-rootwrap
  318. inspector_iniset DEFAULT rootwrap_config $IRONIC_INSPECTOR_ROOTWRAP_CONF_FILE
  319. mkdir_chown_stack "$IRONIC_INSPECTOR_RAMDISK_LOGDIR"
  320. inspector_iniset processing ramdisk_logs_dir "$IRONIC_INSPECTOR_RAMDISK_LOGDIR"
  321. inspector_iniset processing always_store_ramdisk_logs "$IRONIC_INSPECTOR_ALWAYS_STORE_RAMDISK_LOGS"
  322. if [ -n "$IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK" ]; then
  323. inspector_iniset processing node_not_found_hook "$IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK"
  324. fi
  325. inspector_iniset DEFAULT timeout $IRONIC_INSPECTOR_TIMEOUT
  326. if [ -n "$IRONIC_INSPECTOR_CLEAN_UP_PERIOD" ]; then
  327. inspector_iniset DEFAULT clean_up_period "$IRONIC_INSPECTOR_CLEAN_UP_PERIOD"
  328. fi
  329. get_or_create_service "ironic-inspector" "baremetal-introspection" "Ironic Inspector baremetal introspection service"
  330. get_or_create_endpoint "baremetal-introspection" "$REGION_NAME" \
  331. "$IRONIC_INSPECTOR_URI" "$IRONIC_INSPECTOR_URI" "$IRONIC_INSPECTOR_URI"
  332. if is_dnsmasq_filter_required ; then
  333. configure_inspector_dnsmasq_rootwrap
  334. configure_inspector_pxe_filter_dnsmasq
  335. fi
  336. }
  337. function configure_inspector_swift {
  338. inspector_configure_auth_for swift
  339. }
  340. function configure_inspector_dhcp {
  341. mkdir_chown_stack "$IRONIC_INSPECTOR_CONF_DIR"
  342. if [[ "$IRONIC_IPXE_ENABLED" == "True" ]] ; then
  343. cat > "$IRONIC_INSPECTOR_DHCP_CONF_FILE" <<EOF
  344. no-daemon
  345. port=0
  346. interface=$IRONIC_INSPECTOR_INTERFACE
  347. bind-interfaces
  348. dhcp-range=$IRONIC_INSPECTOR_DHCP_RANGE
  349. dhcp-match=ipxe,175
  350. dhcp-boot=tag:!ipxe,undionly.kpxe
  351. dhcp-boot=tag:ipxe,http://$IRONIC_HTTP_SERVER:$IRONIC_HTTP_PORT/ironic-inspector.ipxe
  352. dhcp-sequential-ip
  353. EOF
  354. else
  355. cat > "$IRONIC_INSPECTOR_DHCP_CONF_FILE" <<EOF
  356. no-daemon
  357. port=0
  358. interface=$IRONIC_INSPECTOR_INTERFACE
  359. bind-interfaces
  360. dhcp-range=$IRONIC_INSPECTOR_DHCP_RANGE
  361. dhcp-boot=pxelinux.0
  362. dhcp-sequential-ip
  363. EOF
  364. fi
  365. if is_dnsmasq_filter_required ; then
  366. configure_dnsmasq_dhcp_hostsdir
  367. fi
  368. }
  369. function prepare_environment {
  370. create_ironic_inspector_cache_dir
  371. if [[ "$IRONIC_INSPECTOR_MANAGED_BOOT" == "False" ]]; then
  372. prepare_tftp
  373. if [[ "$IRONIC_BAREMETAL_BASIC_OPS" == "True" && "$IRONIC_IS_HARDWARE" == "False" ]]; then
  374. sudo ip link add $IRONIC_INSPECTOR_OVS_PORT type veth peer name $IRONIC_INSPECTOR_INTERFACE
  375. sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT up
  376. sudo ip link set dev $IRONIC_INSPECTOR_OVS_PORT mtu $PUBLIC_BRIDGE_MTU
  377. sudo ovs-vsctl add-port $IRONIC_VM_NETWORK_BRIDGE $IRONIC_INSPECTOR_OVS_PORT
  378. fi
  379. sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE up
  380. sudo ip link set dev $IRONIC_INSPECTOR_INTERFACE mtu $PUBLIC_BRIDGE_MTU
  381. sudo ip addr add $IRONIC_INSPECTOR_INTERNAL_IP_WITH_NET dev $IRONIC_INSPECTOR_INTERFACE
  382. sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \
  383. --dport 69 -j ACCEPT
  384. sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \
  385. --dport $IRONIC_INSPECTOR_PORT -j ACCEPT
  386. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  387. sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 80 -j ACCEPT
  388. sudo iptables -I INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 443 -j ACCEPT
  389. fi
  390. else
  391. sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT
  392. fi
  393. }
  394. # create_ironic_inspector_cache_dir() - Part of the prepare_environment() process
  395. function create_ironic_inspector_cache_dir {
  396. # Create cache dir
  397. mkdir_chown_stack $IRONIC_INSPECTOR_AUTH_CACHE_DIR/api
  398. rm -f $IRONIC_INSPECTOR_AUTH_CACHE_DIR/api/*
  399. mkdir_chown_stack $IRONIC_INSPECTOR_AUTH_CACHE_DIR/registry
  400. rm -f $IRONIC_INSPECTOR_AUTH_CACHE_DIR/registry/*
  401. }
  402. function cleanup_inspector {
  403. if [[ "$IRONIC_IPXE_ENABLED" == "True" ]] ; then
  404. rm -f $IRONIC_HTTP_DIR/ironic-inspector.*
  405. else
  406. rm -f $IRONIC_TFTPBOOT_DIR/pxelinux.cfg/default
  407. rm -f $IRONIC_TFTPBOOT_DIR/ironic-inspector.*
  408. fi
  409. sudo rm -f /etc/sudoers.d/ironic-inspector-rootwrap
  410. sudo rm -rf $IRONIC_INSPECTOR_AUTH_CACHE_DIR
  411. sudo rm -rf "$IRONIC_INSPECTOR_RAMDISK_LOGDIR"
  412. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  413. sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 80 -j ACCEPT | true
  414. sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp --dport 443 -j ACCEPT | true
  415. fi
  416. # Always try to clean up firewall rules, no matter filter driver used
  417. sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \
  418. --dport 69 -j ACCEPT | true
  419. sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \
  420. --dport $IRONIC_INSPECTOR_PORT -j ACCEPT | true
  421. sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \
  422. --dport 67 -j ironic-inspector | true
  423. sudo iptables -F ironic-inspector | true
  424. sudo iptables -X ironic-inspector | true
  425. if [[ $IRONIC_INSPECTOR_INTERFACE != $OVS_PHYSICAL_BRIDGE && "$IRONIC_INSPECTOR_INTERFACE_PHYSICAL" == "False" ]]; then
  426. sudo ip link show $IRONIC_INSPECTOR_INTERFACE && sudo ip link delete $IRONIC_INSPECTOR_INTERFACE
  427. fi
  428. sudo ip link show $IRONIC_INSPECTOR_OVS_PORT && sudo ip link delete $IRONIC_INSPECTOR_OVS_PORT
  429. sudo ovs-vsctl --if-exists del-port $IRONIC_INSPECTOR_OVS_PORT
  430. if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
  431. remove_uwsgi_config "$IRONIC_INSPECTOR_UWSGI_CONF" "$IRONIC_INSPECTOR_UWSGI"
  432. restart_apache_server
  433. fi
  434. }
  435. function sync_inspector_database {
  436. recreate_database ironic_inspector
  437. $IRONIC_INSPECTOR_DBSYNC_BIN_FILE --config-file $IRONIC_INSPECTOR_CONF_FILE upgrade
  438. }
  439. ### Entry points
  440. if [[ "$1" == "stack" && "$2" == "install" ]]; then
  441. echo_summary "Installing ironic-inspector"
  442. if is_inspector_dhcp_required; then
  443. install_inspector_dhcp
  444. fi
  445. install_inspector
  446. install_inspector_client
  447. elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
  448. echo_summary "Configuring ironic-inspector"
  449. cleanup_inspector
  450. if is_inspector_dhcp_required; then
  451. configure_inspector_dhcp
  452. fi
  453. configure_inspector
  454. sync_inspector_database
  455. elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
  456. echo_summary "Initializing ironic-inspector"
  457. prepare_environment
  458. if is_inspector_dhcp_required; then
  459. start_inspector_dhcp
  460. fi
  461. start_inspector
  462. elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
  463. if is_service_enabled tempest; then
  464. echo_summary "Configuring Tempest for Ironic Inspector"
  465. iniset $TEMPEST_CONFIG service_available ironic_inspector True
  466. if [ -n "$IRONIC_INSPECTOR_NODE_NOT_FOUND_HOOK" ]; then
  467. iniset $TEMPEST_CONFIG baremetal_introspection auto_discovery_feature True
  468. iniset $TEMPEST_CONFIG baremetal_introspection auto_discovery_default_driver fake-hardware
  469. iniset $TEMPEST_CONFIG baremetal_introspection auto_discovery_target_driver ipmi
  470. fi
  471. if [[ -n "${IRONIC_INSPECTOR_TEMPEST_DISCOVERY_TIMEOUT}" ]]; then
  472. iniset $TEMPEST_CONFIG baremetal_introspection discovery_timeout $IRONIC_INSPECTOR_TEMPEST_DISCOVERY_TIMEOUT
  473. fi
  474. if [[ -n "${IRONIC_INSPECTOR_TEMPEST_INTROSPECTION_TIMEOUT}" ]]; then
  475. iniset $TEMPEST_CONFIG baremetal_introspection introspection_timeout $IRONIC_INSPECTOR_TEMPEST_INTROSPECTION_TIMEOUT
  476. fi
  477. iniset $TEMPEST_CONFIG baremetal_introspection data_store $IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE
  478. fi
  479. fi
  480. if [[ "$1" == "unstack" ]]; then
  481. stop_inspector
  482. if is_inspector_dhcp_required; then
  483. stop_inspector_dhcp
  484. fi
  485. cleanup_inspector
  486. fi