PXE configuration guide for unmanaged inspection

To a large extent, copy-paste from the Inspector docs. Adjusted some
wording to be more generic. Migrated the (un)managed docs since they
apply to both implementations and are important for understanding.

Change-Id: I7d6cdb34f1ffce53b3cac48c8e2df09f8a861422

doc/source/admin/fast-track.rst

@@ -48,23 +48,24 @@ node:
 Inspection
 ----------
 
-If using :ref:`in-band inspection`, you need to tell ironic-inspector not to
-power off nodes afterwards. Depending on the inspection mode (managed or
-unmanaged), you need to configure two places. In ``ironic.conf``:
+If using :ref:`in-band inspection`, you need to tell ironic or ironic-inspector
+not to power off nodes afterwards. Depending on the inspection mode (managed or
+unmanaged, with ironic-inspector or without), you need to configure two places.
+In ``ironic.conf``:
 
 .. code-block:: ini
 
    [inspector]
    power_off = false
 
-And in ``inspector.conf``:
+And in ``inspector.conf`` (if needed):
 
 .. code-block:: ini
 
    [processing]
    power_off = false
 
-Finally, you need to update the :ironic-inspector-doc:`inspection PXE
-configuration <install/index.html#configuration>` to include the
+Finally, you need to update the :ref:`inspection PXE/iPXE
+configuration <configure-unmanaged-inspection>` to include the
 ``ipa-api-url`` kernel parameter, pointing at the **ironic** endpoint, in
 addition to the existing ``ipa-inspection-callback-url``.

doc/source/admin/inspection/inspector.rst

@@ -32,54 +32,11 @@ configuration file must be set:
     add_ports = all
     keep_ports = present
 
-There are two modes of in-band inspection: `managed inspection`_ and `unmanaged
-inspection`_.
+Managed and unmanaged inspection
+--------------------------------
+
+There are two modes of in-band inspection: *managed* inspection and *unmanaged*
+inspection. See :doc:`/admin/inspection/managed` for more details.
 
 .. _ironic-inspector: https://pypi.org/project/ironic-inspector
 .. _python-ironicclient: https://pypi.org/project/python-ironicclient
-
-Managed inspection
-~~~~~~~~~~~~~~~~~~
-
-Inspection is *managed* when the Bare Metal conductor fully configures the node
-for inspection, including setting boot device, boot mode and power state. This
-is the only way to conduct inspection using :ref:`redfish-virtual-media` or
-with :doc:`/admin/dhcp-less`. This mode is engaged automatically when the node
-has sufficient information to configure boot (e.g. ports in case of iPXE).
-
-There are a few configuration options that tune managed inspection, the most
-important is ``extra_kernel_params``, which allows adding kernel parameters for
-inspection specifically. This is where you can configure
-:ironic-python-agent-doc:`inspection collectors and other parameters
-<admin/how_it_works.html#inspection>`, for example:
-
-.. code-block:: ini
-
-   [inspector]
-   extra_kernel_params = ipa-inspection-collectors=default,logs ipa-collect-lldp=1
-
-For the callback URL the ironic-inspector endpoint from the service catalog is
-used. If you want to override the endpoint for callback only, set the following
-option:
-
-.. code-block:: ini
-
-   [inspector]
-   callback_endpoint_override = https://example.com/baremetal-introspection/v1/continue
-
-Unmanaged inspection
-~~~~~~~~~~~~~~~~~~~~
-
-Under *unmanaged* inspection we understand in-band inspection orchestrated by
-ironic-inspector or a third party. This was the only inspection mode before the
-Ussuri release, and it is still used when the node's boot cannot be configured
-by the conductor. The options described above do not affect unmanaged
-inspection. See :ironic-inspector-doc:`ironic-inspector installation guide
-<install/index.html>` for more information.
-
-If you want to **prevent** unmanaged inspection from working, set this option:
-
-.. code-block:: ini
-
-   [inspector]
-   require_managed_boot = True

doc/source/admin/inspection/managed.rst

@@ -1,8 +1,66 @@
 Managed and unmanaged inspection
 ================================
 
-In-band inspection can be *managed* or *unmanaged*. Please see :doc:`the
-Inspector documentation <inspector>` for information on these concepts and
-how to configure them.
+In-band inspection can be *managed* or *unmanaged*. This document explains the
+difference between these two concepts and applies both to the built-in in-band
+inspection and to :doc:`/admin/inspection/inspector`.
 
-.. TODO(dtantsur): migrate that information here once inspector is deprecated
+Managed inspection
+~~~~~~~~~~~~~~~~~~
+
+Inspection is *managed* when the Bare Metal conductor fully configures the node
+for inspection, including setting boot device, boot mode and power state. This
+is the only way to conduct inspection using :ref:`redfish-virtual-media` or
+with :doc:`/admin/dhcp-less`. This mode is engaged automatically when the node
+has sufficient information to configure boot (e.g. ports in case of iPXE).
+
+There are a few configuration options that tune managed inspection, the most
+important is ``extra_kernel_params``, which allows adding kernel parameters for
+inspection specifically. This is where you can configure
+:ironic-python-agent-doc:`inspection collectors and other parameters
+<admin/how_it_works.html#inspection>`, for example:
+
+.. code-block:: ini
+
+   [inspector]
+   extra_kernel_params = ipa-inspection-collectors=default,logs ipa-collect-lldp=1
+
+For the callback URL the ironic-inspector endpoint from the service catalog is
+used. If you want to override the endpoint for callback only, set the following
+option:
+
+.. code-block:: ini
+
+   [inspector]
+   callback_endpoint_override = https://example.com/baremetal-introspection/v1/continue
+
+For the built-in inspection, the bare metal API endpoint can be overriden
+instead:
+
+.. code-block:: ini
+
+   [service_catalog]
+   endpoint_override = https://example.com/baremetal
+
+.. _unmanaged-inspection:
+
+Unmanaged inspection
+~~~~~~~~~~~~~~~~~~~~
+
+Under *unmanaged* inspection we understand in-band inspection where the boot
+configuration (iPXE scripts, DHCP options,  etc) is not provided
+by the Bare Metal service. In this case, the node is simply set to boot from
+network and powered on. The operator is responsible for the correct network
+boot configuration, e.g. as explained in :ref:`configure-unmanaged-inspection`.
+
+Unmanaged inspection was the only inspection mode before the Ussuri release,
+and it is still used when the node's boot cannot be configured by the
+conductor. The options described above do not affect unmanaged inspection.
+
+Unmanaged inspection is currently enabled by default but will be disabled
+in the near future. To enable it, set ``require_managed_boot`` to ``False``:
+
+.. code-block:: ini
+
+   [inspector]
+   require_managed_boot = False

doc/source/install/configure-pxe.rst

@@ -469,3 +469,125 @@ those paths will be created using configuration parameter
 the configuration parameter ``[pxe]file_permission``. Absolute destination
 paths are not supported and will result in ironic failing to start up as
 it is a misconfiguration of the deployment.
+
+.. _configure-unmanaged-inspection:
+
+Configuring unmanaged in-band inspection
+----------------------------------------
+
+This section must be followed if you intend to use :ref:`unmanaged-inspection`
+without ironic-inspector. For ironic-inspector support, check `its installation
+guide
+<https://docs.openstack.org/ironic-inspector/latest/install/index.html#configuration>`_.
+
+With PXE
+~~~~~~~~
+
+After you followed `TFTP Server Setup`_, you need to create the default PXE
+configuration. Populate ``/tftpboot/pxelinux.cfg/default`` with the following
+contents::
+
+    default introspect
+
+    label introspect
+    kernel ironic-python-agent.kernel
+    append initrd=ironic-python-agent.initramfs ipa-inspection-callback-url=http://{IP}:6385/v1/continue_inspection systemd.journald.forward_to_console=yes
+
+    ipappend 3
+
+Instead of ``http://{IP}:6385/v1/continue_inspection``, insert the correct Bare
+Metal API endpoint, keeping the mandatory ``/v1/continue_inspection`` suffix.
+You may also populate other IPA options (e.g. ``ipa-debug=1`` for detailed
+logging, ``ipa-inspection-collectors`` to customize the inspection process,
+or ``ipa-api-url`` to enable :doc:`/admin/fast-track`).
+
+Second, you need to configure DHCP for unknows hosts since the OpenStack
+Networking service won't be able to handle them. For instance, you can install
+**dnsmasq** and use the following ``/etc/dnsmasq.conf``:
+
+.. code-block:: ini
+
+    port=0
+    interface={INTERFACE}
+    bind-interfaces
+    dhcp-range={DHCP IP RANGE, e.g. 192.168.0.50,192.168.0.150}
+    enable-tftp
+    tftp-root=/tftpboot
+    dhcp-boot=pxelinux.0
+    dhcp-sequential-ip
+
+.. warning::
+   Ironic currently lacks `PXE filters
+   <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`_
+   used by ironic-inspector to allow its DHCP server to co-exist with
+   OpenStack Networking (neutron) on the same network. Unless you can
+   physically isolation the inspection network, you may want to stay with
+   ironic-inspector for the time being.
+
+Finally, build or download IPA images into
+``/tftpboot/ironic-python-agent.kernel`` and
+``/tftpboot/ironic-python-agent.initramfs``. These can be the same images that
+you use for deployment and cleaning.
+
+With iPXE
+~~~~~~~~~
+
+iPXE configuration is pretty similar to PXE above, but differs in details.
+Start with `iPXE Setup`_, then create a new file ``/httpboot/inspection.ipxe``
+with the following contents::
+
+    #!ipxe
+
+    :retry_dhcp
+    dhcp || goto retry_dhcp
+
+    :retry_boot
+    imgfree
+    kernel --timeout 30000 http://{IP}:8080/ironic-python-agent.kernel ipa-inspection-callback-url=http://{IP}:6385/v1/continue_inspection systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-python-agent.initramfs || goto retry_boot
+    initrd --timeout 30000 http://{IP}:8080/ironic-python-agent.initramfs || goto retry_boot
+    boot
+
+Just as `with PXE`_, adjust ``ipa-inspection-callback-url`` to match your
+deployment and add any required IPA options. You also need to fix ``{IP}:8080``
+to match the iPXE server you configured previously.
+
+The DHCP configuration is much more complex. Since most hardware does not have
+an up-to-date iPXE firmware, you need to bootstrap it from TFTP. The
+**dnsmasq** configuration may look roughly like this:
+
+.. code-block:: ini
+
+    port=0
+    interface={INTERFACE}
+    bind-interfaces
+    dhcp-range={DHCP IP RANGE, e.g. 192.168.0.50,192.168.0.150}
+    enable-tftp
+    tftp-root=/tftpboot
+    dhcp-sequential-ip
+    dhcp-match=ipxe,175
+    dhcp-match=set:efi,option:client-arch,7
+    dhcp-match=set:efi,option:client-arch,9
+    dhcp-match=set:efi,option:client-arch,11
+    # dhcpv6.option: Client System Architecture Type (61)
+    dhcp-match=set:efi6,option6:61,0007
+    dhcp-match=set:efi6,option6:61,0009
+    dhcp-match=set:efi6,option6:61,0011
+    dhcp-userclass=set:ipxe6,iPXE
+    # Client is already running iPXE; move to next stage of chainloading
+    dhcp-boot=tag:ipxe,http://{IP}:8080/inspection.ipxe
+    # Client is PXE booting over EFI without iPXE ROM,
+    # send EFI version of iPXE chainloader
+    dhcp-boot=tag:efi,tag:!ipxe,ipxe.efi
+    dhcp-option=tag:efi6,tag:!ipxe6,option6:bootfile-url,tftp://{IP}/ipxe.efi
+    # Client is running PXE over BIOS; send BIOS version of iPXE chainloader
+    dhcp-boot=undionly.kpxe,localhost.localdomain,{IP}
+
+.. note::
+   It's not trivial to write such a configuration from scratch. In addition to
+   this document, you may take some inspiration from `Bifrost
+   <https://opendev.org/openstack/bifrost/src/branch/master/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2>`_
+   and `Metal3
+   <https://github.com/metal3-io/ironic-image/blob/main/ironic-config/dnsmasq.conf.j2>`_.
+
+Finally, put ``ironic-python-agent.kernel`` and
+``ironic-python-agent.initramfs`` to ``/httpboot``.