From 0f0e9bbb085b310fc1ed13fd283df91f7d82db10 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 14 Jan 2025 12:04:11 +0000 Subject: [PATCH] Support ironic-pxe-filter Closes-Bug: #2094790 Depends-On: https://review.opendev.org/c/openstack/kolla/+/939256 Change-Id: I1b5329d814432604640990b0ecc28906845e29d6 Signed-off-by: Michal Nasiadka Signed-off-by: Will Szumski --- ansible/group_vars/all/ironic.yml | 1 + ansible/roles/ironic/defaults/main.yml | 27 ++++++++++++++++++- ansible/roles/ironic/handlers/main.yml | 15 +++++++++++ ansible/roles/ironic/tasks/config.yml | 2 +- .../roles/ironic/tasks/rolling_upgrade.yml | 22 +++++++-------- .../templates/ironic-pxe-filter.json.j2 | 23 ++++++++++++++++ ansible/roles/ironic/templates/ironic.conf.j2 | 3 +++ .../reference/bare-metal/ironic-guide.rst | 20 ++++++++++++++ etc/kolla/globals.yml | 1 + .../ironic-pxe-filter-8376c424cb533bd3.yaml | 6 +++++ tests/templates/globals-default.j2 | 1 + 11 files changed, 107 insertions(+), 14 deletions(-) create mode 100644 ansible/roles/ironic/templates/ironic-pxe-filter.json.j2 create mode 100644 releasenotes/notes/ironic-pxe-filter-8376c424cb533bd3.yaml diff --git a/ansible/group_vars/all/ironic.yml b/ansible/group_vars/all/ironic.yml index 48e017975d..1acb6e7ab1 100644 --- a/ansible/group_vars/all/ironic.yml +++ b/ansible/group_vars/all/ironic.yml @@ -3,6 +3,7 @@ enable_ironic: "no" enable_ironic_dnsmasq: "{{ enable_ironic | bool }}" enable_ironic_neutron_agent: "no" enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}" +enable_ironic_pxe_filter: "no" # Keystone user ironic_keystone_user: "ironic" diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index fb485375a2..9c80ad6fea 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -68,6 +68,17 @@ ironic_services: image: "{{ ironic_dnsmasq_image_full }}" volumes: "{{ ironic_dnsmasq_default_volumes + ironic_dnsmasq_extra_volumes }}" dimensions: "{{ ironic_dnsmasq_dimensions }}" + pid_mode: host + ironic-pxe-filter: + container_name: ironic_pxe_filter + group: ironic-dnsmasq + enabled: "{{ enable_ironic_pxe_filter }}" + image: "{{ ironic_pxe_filter_image_full }}" + volumes: "{{ ironic_pxe_filter_default_volumes + ironic_pxe_filter_extra_volumes }}" + dimensions: "{{ ironic_pxe_filter_dimensions }}" + # TODO: --pid container:ironic_dnsmasq but this is more complicated since we need to + # declare dependency in systemd too. + pid_mode: host ironic-prometheus-exporter: container_name: ironic_prometheus_exporter group: ironic-conductor @@ -127,6 +138,10 @@ ironic_dnsmasq_image: "{{ docker_image_url }}dnsmasq" ironic_dnsmasq_tag: "{{ ironic_tag }}" ironic_dnsmasq_image_full: "{{ ironic_dnsmasq_image }}:{{ ironic_dnsmasq_tag }}" +ironic_pxe_filter_image: "{{ docker_image_url }}ironic-pxe-filter" +ironic_pxe_filter_tag: "{{ ironic_tag }}" +ironic_pxe_filter_image_full: "{{ ironic_pxe_filter_image }}:{{ ironic_pxe_filter_tag }}" + ironic_prometheus_exporter_image: "{{ docker_image_url }}ironic-prometheus-exporter" ironic_prometheus_exporter_tag: "{{ ironic_tag }}" ironic_prometheus_exporter_image_full: "{{ ironic_prometheus_exporter_image }}:{{ ironic_prometheus_exporter_tag }}" @@ -136,6 +151,7 @@ ironic_conductor_dimensions: "{{ default_container_dimensions }}" ironic_tftp_dimensions: "{{ default_container_dimensions }}" ironic_http_dimensions: "{{ default_container_dimensions }}" ironic_dnsmasq_dimensions: "{{ default_container_dimensions }}" +ironic_pxe_filter_dimensions: "{{ default_container_dimensions }}" ironic_prometheus_exporter_dimensions: "{{ default_container_dimensions }}" ironic_api_enable_healthchecks: "{{ enable_container_healthchecks }}" @@ -212,8 +228,16 @@ ironic_dnsmasq_default_volumes: - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - - "kolla_logs:/var/log/kolla" - "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro" + - "kolla_logs:/var/log/kolla" + - "/run:/run{{ ':shared' if kolla_container_engine == 'docker' else '' }}" +ironic_pxe_filter_default_volumes: + - "{{ node_config_directory }}/ironic-pxe-filter/:{{ container_config_directory }}/:ro" + - "/etc/localtime:/etc/localtime:ro" + - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" + - "kolla_logs:/var/log/kolla" + - "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir" + - "/run:/run{{ ':shared' if kolla_container_engine == 'docker' else '' }}" ironic_prometheus_exporter_default_volumes: - "{{ node_config_directory }}/ironic-prometheus-exporter/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" @@ -227,6 +251,7 @@ ironic_conductor_extra_volumes: "{{ ironic_extra_volumes }}" ironic_tftp_extra_volumes: "{{ ironic_extra_volumes }}" ironic_http_extra_volumes: "{{ ironic_extra_volumes }}" ironic_dnsmasq_extra_volumes: "{{ ironic_extra_volumes }}" +ironic_pxe_filter_extra_volumes: "{{ ironic_extra_volumes }}" ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}" #################### diff --git a/ansible/roles/ironic/handlers/main.yml b/ansible/roles/ironic/handlers/main.yml index d7989a5736..417fbd46f5 100644 --- a/ansible/roles/ironic/handlers/main.yml +++ b/ansible/roles/ironic/handlers/main.yml @@ -69,6 +69,21 @@ volumes: "{{ service.volumes }}" dimensions: "{{ service.dimensions }}" cap_add: "{{ service.cap_add }}" + pid_mode: "{{ service.pid_mode }}" + +- name: Restart ironic-pxe-filter container + vars: + service_name: "ironic-pxe-filter" + service: "{{ ironic_services[service_name] }}" + become: true + kolla_container: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ service.container_name }}" + image: "{{ service.image }}" + volumes: "{{ service.volumes }}" + dimensions: "{{ service.dimensions }}" + pid_mode: "{{ service.pid_mode }}" - name: Restart ironic-prometheus-exporter container vars: diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index 98a3e66e2e..1919094860 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -54,7 +54,7 @@ mode: "0660" become: true when: - - item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter" ] + - item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter", "ironic-pxe-filter" ] with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}" - name: Copying over dnsmasq.conf diff --git a/ansible/roles/ironic/tasks/rolling_upgrade.yml b/ansible/roles/ironic/tasks/rolling_upgrade.yml index 66a86fcf6e..40998142c1 100644 --- a/ansible/roles/ironic/tasks/rolling_upgrade.yml +++ b/ansible/roles/ironic/tasks/rolling_upgrade.yml @@ -5,22 +5,20 @@ # This is only needed when performing a slow rolling upgrade process # where you need to maintain compatibility between different versions # during the upgrade. For direct version jumps, this section can be skipped. -- import_tasks: config.yml - vars: - pin_release_version: "{{ ironic_pin_release_version }}" +- name: Pin release version for rolling upgrades when: ironic_pin_release_version | length > 0 + block: + - import_tasks: config.yml + vars: + pin_release_version: "{{ ironic_pin_release_version }}" -- import_tasks: check-containers.yml + - import_tasks: check-containers.yml -- import_tasks: bootstrap_service.yml + - import_tasks: bootstrap_service.yml -# TODO(donghm): Flush_handlers to restart ironic services -# should be run in serial nodes to decrease downtime. Update when -# the module ansible strategy for rolling upgrade is finished. - -# Restart ironic services with pinned release version -- name: Flush handlers - meta: flush_handlers + # Restart ironic services with pinned release version + - name: Flush handlers + meta: flush_handlers # Unpin version - import_tasks: config.yml diff --git a/ansible/roles/ironic/templates/ironic-pxe-filter.json.j2 b/ansible/roles/ironic/templates/ironic-pxe-filter.json.j2 new file mode 100644 index 0000000000..6bcf7e351b --- /dev/null +++ b/ansible/roles/ironic/templates/ironic-pxe-filter.json.j2 @@ -0,0 +1,23 @@ +{ + "command": "ironic-pxe-filter --config-file /etc/ironic/ironic.conf --log-file /var/log/kolla/ironic/ironic-pxe-filter.log", + "config_files": [ + { + "source": "{{ container_config_directory }}/ironic.conf", + "dest": "/etc/ironic/ironic.conf", + "owner": "ironic", + "perm": "0600" + } + ], + "permissions": [ + { + "path": "/var/log/kolla/ironic", + "owner": "ironic:ironic", + "recurse": true + }, + { + "path": "/var/lib/ironic", + "owner": "ironic:ironic", + "recurse": true + } + ] +} diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 1f0c6a4265..66fbdb1f77 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -197,3 +197,6 @@ dhcp_provider = none [oslo_concurrency] lock_path = /var/lib/ironic/tmp + +[pxe_filter] +dhcp_hostsdir = /etc/dnsmasq/dhcp-hostsdir diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst index d7a5ee90b7..99e8bbefb2 100644 --- a/doc/source/reference/bare-metal/ironic-guide.rst +++ b/doc/source/reference/bare-metal/ironic-guide.rst @@ -107,6 +107,26 @@ You may optionally pass extra kernel parameters to the inspection kernel using: in ``/etc/kolla/globals.yml``. +PXE filter (optional) +~~~~~~~~~~~~~~~~~~~~~ + +To keep parity with the standalone inspector you can enable the experimental +PXE filter service: + +.. code-block:: yaml + + enable_ironic_pxe_filter: "yes" + +The PXE filter container runs alongside ``ironic-dnsmasq`` and cleans up stale +DHCP entries. It is especially useful when auto discovery is enabled and when +the dnsmasq DHCP range overlaps with a Neutron-served network. For the upstream +details see +https://docs.openstack.org/ironic/latest/admin/inspection/pxe_filter.html. + +.. note:: + + Upstream still classifies this PXE filter implementation as experimental. + Configure conductor's HTTP server port (optional) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The port used for conductor's HTTP server is controlled via diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 9d4f00a0a4..3c05da982d 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -385,6 +385,7 @@ workaround_ansible_issue_8743: yes #enable_ironic: "no" #enable_ironic_neutron_agent: "no" #enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}" +#enable_ironic_pxe_filter: "no" #enable_iscsid: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}" #enable_kuryr: "no" #enable_magnum: "no" diff --git a/releasenotes/notes/ironic-pxe-filter-8376c424cb533bd3.yaml b/releasenotes/notes/ironic-pxe-filter-8376c424cb533bd3.yaml new file mode 100644 index 0000000000..80f38db8d2 --- /dev/null +++ b/releasenotes/notes/ironic-pxe-filter-8376c424cb533bd3.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds the optional ``ironic-pxe-filter`` service controlled by + ``enable_ironic_pxe_filter``. This brings parity with the standalone + inspector. Upstream currently classifies the PXE filter as experimental. diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index 32a28773fb..3444d87e3b 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -127,6 +127,7 @@ enable_aodh: "yes" {% if scenario == "ironic" %} enable_ironic: "yes" +enable_ironic_pxe_filter: "yes" enable_prometheus: "yes" enable_prometheus_openstack_exporter: "no" ironic_dnsmasq_dhcp_ranges: