Support ironic-pxe-filter

Closes-Bug: #2094790 Depends-On: https://review.opendev.org/c/openstack/kolla/+/939256 Change-Id: I1b5329d814432604640990b0ecc28906845e29d6 Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com> Signed-off-by: Will Szumski <will@stackhpc.com>
2025-01-14 12:04:11 +00:00
parent ea5675f499
commit 0f0e9bbb08
11 changed files with 107 additions and 14 deletions
--- a/ansible/group_vars/all/ironic.yml
+++ b/ansible/group_vars/all/ironic.yml
@@ -3,6 +3,7 @@ enable_ironic: "no"
 enable_ironic_dnsmasq: "{{ enable_ironic | bool }}"
 enable_ironic_neutron_agent: "no"
 enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}"
+enable_ironic_pxe_filter: "no"

 # Keystone user
 ironic_keystone_user: "ironic"
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -68,6 +68,17 @@ ironic_services:
    image: "{{ ironic_dnsmasq_image_full }}"
    volumes: "{{ ironic_dnsmasq_default_volumes + ironic_dnsmasq_extra_volumes }}"
    dimensions: "{{ ironic_dnsmasq_dimensions }}"
+    pid_mode: host
+  ironic-pxe-filter:
+    container_name: ironic_pxe_filter
+    group: ironic-dnsmasq
+    enabled: "{{ enable_ironic_pxe_filter }}"
+    image: "{{ ironic_pxe_filter_image_full }}"
+    volumes: "{{ ironic_pxe_filter_default_volumes + ironic_pxe_filter_extra_volumes }}"
+    dimensions: "{{ ironic_pxe_filter_dimensions }}"
+    # TODO: --pid container:ironic_dnsmasq but this is more complicated since we need to
+    # declare dependency in systemd too.
+    pid_mode: host
  ironic-prometheus-exporter:
    container_name: ironic_prometheus_exporter
    group: ironic-conductor
@@ -127,6 +138,10 @@ ironic_dnsmasq_image: "{{ docker_image_url }}dnsmasq"
 ironic_dnsmasq_tag: "{{ ironic_tag }}"
 ironic_dnsmasq_image_full: "{{ ironic_dnsmasq_image }}:{{ ironic_dnsmasq_tag }}"

+ironic_pxe_filter_image: "{{ docker_image_url }}ironic-pxe-filter"
+ironic_pxe_filter_tag: "{{ ironic_tag }}"
+ironic_pxe_filter_image_full: "{{ ironic_pxe_filter_image }}:{{ ironic_pxe_filter_tag }}"
+
 ironic_prometheus_exporter_image: "{{ docker_image_url }}ironic-prometheus-exporter"
 ironic_prometheus_exporter_tag: "{{ ironic_tag }}"
 ironic_prometheus_exporter_image_full: "{{ ironic_prometheus_exporter_image }}:{{ ironic_prometheus_exporter_tag }}"
@@ -136,6 +151,7 @@ ironic_conductor_dimensions: "{{ default_container_dimensions }}"
 ironic_tftp_dimensions: "{{ default_container_dimensions }}"
 ironic_http_dimensions: "{{ default_container_dimensions }}"
 ironic_dnsmasq_dimensions: "{{ default_container_dimensions }}"
+ironic_pxe_filter_dimensions: "{{ default_container_dimensions }}"
 ironic_prometheus_exporter_dimensions: "{{ default_container_dimensions }}"

 ironic_api_enable_healthchecks: "{{ enable_container_healthchecks }}"
@@ -212,8 +228,16 @@ ironic_dnsmasq_default_volumes:
  - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
-  - "kolla_logs:/var/log/kolla"
  - "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro"
+  - "kolla_logs:/var/log/kolla"
+  - "/run:/run{{ ':shared' if kolla_container_engine == 'docker' else '' }}"
+ironic_pxe_filter_default_volumes:
+  - "{{ node_config_directory }}/ironic-pxe-filter/:{{ container_config_directory }}/:ro"
+  - "/etc/localtime:/etc/localtime:ro"
+  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
+  - "kolla_logs:/var/log/kolla"
+  - "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir"
+  - "/run:/run{{ ':shared' if kolla_container_engine == 'docker' else '' }}"
 ironic_prometheus_exporter_default_volumes:
  - "{{ node_config_directory }}/ironic-prometheus-exporter/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
@@ -227,6 +251,7 @@ ironic_conductor_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_tftp_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_http_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_dnsmasq_extra_volumes: "{{ ironic_extra_volumes }}"
+ironic_pxe_filter_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}"

 ####################
--- a/ansible/roles/ironic/handlers/main.yml
+++ b/ansible/roles/ironic/handlers/main.yml
@@ -69,6 +69,21 @@
    volumes: "{{ service.volumes }}"
    dimensions: "{{ service.dimensions }}"
    cap_add: "{{ service.cap_add }}"
+    pid_mode: "{{ service.pid_mode }}"
+
+- name: Restart ironic-pxe-filter container
+  vars:
+    service_name: "ironic-pxe-filter"
+    service: "{{ ironic_services[service_name] }}"
+  become: true
+  kolla_container:
+    action: "recreate_or_restart_container"
+    common_options: "{{ docker_common_options }}"
+    name: "{{ service.container_name }}"
+    image: "{{ service.image }}"
+    volumes: "{{ service.volumes }}"
+    dimensions: "{{ service.dimensions }}"
+    pid_mode: "{{ service.pid_mode }}"

 - name: Restart ironic-prometheus-exporter container
  vars:
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -54,7 +54,7 @@
    mode: "0660"
  become: true
  when:
-    - item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter" ]
+    - item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter", "ironic-pxe-filter" ]
  with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"

 - name: Copying over dnsmasq.conf
--- a/ansible/roles/ironic/tasks/rolling_upgrade.yml
+++ b/ansible/roles/ironic/tasks/rolling_upgrade.yml
@@ -5,21 +5,19 @@
 # This is only needed when performing a slow rolling upgrade process
 # where you need to maintain compatibility between different versions
 # during the upgrade. For direct version jumps, this section can be skipped.
- import_tasks: config.yml
+- name: Pin release version for rolling upgrades
+  when: ironic_pin_release_version | length > 0
+  block:
+    - import_tasks: config.yml
      vars:
        pin_release_version: "{{ ironic_pin_release_version }}"
-  when: ironic_pin_release_version | length > 0

- import_tasks: check-containers.yml
+    - import_tasks: check-containers.yml

- import_tasks: bootstrap_service.yml
+    - import_tasks: bootstrap_service.yml

-# TODO(donghm): Flush_handlers to restart ironic services
-# should be run in serial nodes to decrease downtime. Update when
-# the module ansible strategy for rolling upgrade is finished.
-
-# Restart ironic services with pinned release version
- name: Flush handlers
+    # Restart ironic services with pinned release version
+    - name: Flush handlers
      meta: flush_handlers

 # Unpin version
--- a/ansible/roles/ironic/templates/ironic-pxe-filter.json.j2
+++ b/ansible/roles/ironic/templates/ironic-pxe-filter.json.j2
@@ -0,0 +1,23 @@
+{
+    "command": "ironic-pxe-filter --config-file /etc/ironic/ironic.conf --log-file /var/log/kolla/ironic/ironic-pxe-filter.log",
+    "config_files": [
+        {
+            "source": "{{ container_config_directory }}/ironic.conf",
+            "dest": "/etc/ironic/ironic.conf",
+            "owner": "ironic",
+            "perm": "0600"
+        }
+    ],
+    "permissions": [
+        {
+            "path": "/var/log/kolla/ironic",
+            "owner": "ironic:ironic",
+            "recurse": true
+        },
+        {
+            "path": "/var/lib/ironic",
+            "owner": "ironic:ironic",
+            "recurse": true
+        }
+    ]
+}
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -197,3 +197,6 @@ dhcp_provider = none

 [oslo_concurrency]
 lock_path = /var/lib/ironic/tmp
+
+[pxe_filter]
+dhcp_hostsdir = /etc/dnsmasq/dhcp-hostsdir
--- a/doc/source/reference/bare-metal/ironic-guide.rst
+++ b/doc/source/reference/bare-metal/ironic-guide.rst
@@ -107,6 +107,26 @@ You may optionally pass extra kernel parameters to the inspection kernel using:

 in ``/etc/kolla/globals.yml``.

+PXE filter (optional)
+~~~~~~~~~~~~~~~~~~~~~
+
+To keep parity with the standalone inspector you can enable the experimental
+PXE filter service:
+
+.. code-block:: yaml
+
+   enable_ironic_pxe_filter: "yes"
+
+The PXE filter container runs alongside ``ironic-dnsmasq`` and cleans up stale
+DHCP entries. It is especially useful when auto discovery is enabled and when
+the dnsmasq DHCP range overlaps with a Neutron-served network. For the upstream
+details see
+https://docs.openstack.org/ironic/latest/admin/inspection/pxe_filter.html.
+
+.. note::
+
+   Upstream still classifies this PXE filter implementation as experimental.
+
 Configure conductor's HTTP server port (optional)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The port used for conductor's HTTP server is controlled via
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -385,6 +385,7 @@ workaround_ansible_issue_8743: yes
 #enable_ironic: "no"
 #enable_ironic_neutron_agent: "no"
 #enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}"
+#enable_ironic_pxe_filter: "no"
 #enable_iscsid: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}"
 #enable_kuryr: "no"
 #enable_magnum: "no"
--- a/releasenotes/notes/ironic-pxe-filter-8376c424cb533bd3.yaml
+++ b/releasenotes/notes/ironic-pxe-filter-8376c424cb533bd3.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds the optional ``ironic-pxe-filter`` service controlled by
+    ``enable_ironic_pxe_filter``. This brings parity with the standalone
+    inspector. Upstream currently classifies the PXE filter as experimental.
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -127,6 +127,7 @@ enable_aodh: "yes"

 {% if scenario == "ironic" %}
 enable_ironic: "yes"
+enable_ironic_pxe_filter: "yes"
 enable_prometheus: "yes"
 enable_prometheus_openstack_exporter: "no"
 ironic_dnsmasq_dhcp_ranges: