From 762aecbfae0719a7d2fa15fd23ddd40c471be113 Mon Sep 17 00:00:00 2001
From: Maksim Malchuk <maksim.malchuk@gmail.com>
Date: Mon, 8 Nov 2021 21:23:21 +0300
Subject: [PATCH] Multiple DHCP ranges for Ironic Inspector
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a new parameter 'ironic_dnsmasq_dhcp_ranges' and enable the
configuration of the corresponding 'dhcp-range' and 'dhcp-option'
blocks in Ironic Inspector dnsmasq for multiple ranges.

The old parameters 'ironic_dnsmasq_dhcp_range' and
'ironic_dnsmasq_default_gateway' used for the only range are now
removed.

This change implements the same solution used in the TripleO several
years ago in the: Ie49b07ffe948576f5d9330cf11ee014aef4b282d

Also, this change contains: Iae15e9db0acc2ecd5b087a9ca430be948bc3e649
fix for lease time.
The value can be changed globally or per range.

Change-Id: Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
---
 ansible/roles/ironic/defaults/main.yml        |  4 +-
 ansible/roles/ironic/tasks/precheck.yml       |  7 ++-
 .../ironic/templates/ironic-dnsmasq.conf.j2   | 12 +++--
 .../reference/bare-metal/ironic-guide.rst     | 44 ++++++++++++++++---
 etc/kolla/globals.yml                         |  8 ++--
 ...ctor-multiple-ranges-b7c734d38b90c331.yaml | 26 +++++++++++
 tests/templates/globals-default.j2            |  3 +-
 7 files changed, 83 insertions(+), 21 deletions(-)
 create mode 100644 releasenotes/notes/ironic-inspector-multiple-ranges-b7c734d38b90c331.yaml

diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index dfc7ef4cc4..0bee254835 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -252,8 +252,8 @@ openstack_ironic_inspector_auth: "{{ openstack_auth }}"
 # Ironic
 #########
 ironic_dnsmasq_interface: "{{ api_interface }}"
-ironic_dnsmasq_dhcp_range:
-ironic_dnsmasq_default_gateway:
+ironic_dnsmasq_dhcp_ranges:
+ironic_dnsmasq_dhcp_default_lease_time: "10m"
 # TODO(yoctozepto): Do not rely on deprecated enable_ironic_ipxe in Zed.
 ironic_dnsmasq_serve_ipxe: "{{ enable_ironic_ipxe | default(\"yes\") }}"
 ironic_dnsmasq_boot_file: "{% if ironic_dnsmasq_serve_ipxe | bool %}undionly.kpxe{% else %}pxelinux.0{% endif %}"
diff --git a/ansible/roles/ironic/tasks/precheck.yml b/ansible/roles/ironic/tasks/precheck.yml
index be8d03b07c..005b16f753 100644
--- a/ansible/roles/ironic/tasks/precheck.yml
+++ b/ansible/roles/ironic/tasks/precheck.yml
@@ -68,11 +68,10 @@
     - "ironic-agent.kernel"
     - "ironic-agent.initramfs"
 
-- name: Ensure dnsmasq_dhcp_range configured for Ironic Dnsmasq
+- name: Ensure ironic_dnsmasq_dhcp_ranges is configured
   fail:
     msg: >
-      ironic_dnsmasq_dhcp_range must be set when enable ironic
+      ironic_dnsmasq_dhcp_ranges must be a list
   connection: local
   run_once: True
-  when:
-    - ironic_dnsmasq_dhcp_range is none
+  when: not ironic_dnsmasq_dhcp_ranges is sequence
diff --git a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
index 7fb316a6be..beddbdeea8 100644
--- a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
@@ -5,16 +5,20 @@ port=0
 interface={{ ironic_dnsmasq_interface }}
 bind-interfaces
 
-dhcp-range={{ ironic_dnsmasq_dhcp_range }}
+{% for item in ironic_dnsmasq_dhcp_ranges %}
+{% set tag = item.tag | default('range_' ~ loop.index) %}
+{% set lease_time = item.lease_time | default(ironic_dnsmasq_dhcp_default_lease_time) %}
+dhcp-range=set:{{ tag }},{{ item.range }},{{ lease_time }}
+{% if item.routers is defined %}
+dhcp-option=tag:{{ tag }},option:router,{{ item.routers }}
+{% endif %}
+{% endfor %}
 dhcp-sequential-ip
 
 {% if api_address_family == 'ipv6' %}
 {# TODO(yoctozepto): IPv6-only support - DHCPv6 PXE support #}
 {# different options must be used here #}
 {% else %}{# ipv4 #}
-{% if ironic_dnsmasq_default_gateway is not none %}
-dhcp-option=3,{{ ironic_dnsmasq_default_gateway }}
-{% endif %}
 dhcp-option=option:tftp-server,{{ api_interface_address }}
 dhcp-option=option:server-ip-address,{{ api_interface_address }}
 dhcp-option=210,/var/lib/ironic/tftpboot/
diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst
index a239e9c448..1354677959 100644
--- a/doc/source/reference/bare-metal/ironic-guide.rst
+++ b/doc/source/reference/bare-metal/ironic-guide.rst
@@ -18,22 +18,52 @@ Enable Ironic in ``/etc/kolla/globals.yml``:
    enable_ironic: "yes"
 
 In the same file, define a network interface as the default NIC for dnsmasq and
-a range of IP addresses that will be available for use by Ironic inspector.
-The optional netmask of the network should be provided in case when DHCP-relay
-is used. Finally, define a network to be used for the Ironic cleaning network:
+define a network to be used for the Ironic cleaning network:
 
 .. code-block:: yaml
 
    ironic_dnsmasq_interface: "eth1"
-   ironic_dnsmasq_dhcp_range: "192.168.5.100,192.168.5.110,255.255.255.0"
    ironic_cleaning_network: "public1"
 
-In the same file, optionally a default gateway to be used for the Ironic
-Inspector inspection network:
+Finally, define at least one DHCP range for Ironic inspector:
 
 .. code-block:: yaml
 
-   ironic_dnsmasq_default_gateway: 192.168.5.1
+   ironic_dnsmasq_dhcp_ranges:
+     - range: "192.168.5.100,192.168.5.110"
+
+Another example of a single range with a router (multiple routers
+are possible by separating addresses with commas):
+
+.. code-block:: yaml
+
+   ironic_dnsmasq_dhcp_ranges:
+     - range: "192.168.5.100,192.168.5.110"
+       routers: "192.168.5.1"
+
+To support DHCP relay, it is also possible to define a netmask in the range.
+It is advisable to also provide a router to allow the traffic to reach the
+Ironic server.
+
+.. code-block:: yaml
+
+  ironic_dnsmasq_dhcp_ranges:
+    - range: "192.168.5.100,192.168.5.110,255.255.255.0"
+      routers: "192.168.5.1"
+
+Multiple ranges are possible, they can be either for directly-connected
+interfaces or relays (if with netmask):
+
+.. code-block:: yaml
+
+  ironic_dnsmasq_dhcp_ranges:
+    - range: "192.168.5.100,192.168.5.110"
+    - range: "192.168.6.100,192.168.6.110,255.255.255.0"
+      routers: "192.168.6.1"
+
+The default lease time for each range can be configured globally via
+``ironic_dnsmasq_dhcp_default_lease_time`` variable or per range via
+``lease_time`` parameter.
 
 In the same file, specify the PXE bootloader file for Ironic Inspector. The
 file is relative to the ``/var/lib/ironic/tftpboot`` directory. The default is
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index bd756c9680..58aaabc54c 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -587,9 +587,11 @@
 #############################
 # dnsmasq bind interface for Ironic Inspector, by default is network_interface
 #ironic_dnsmasq_interface: "{{ network_interface }}"
-# The following value must be set when enabling ironic, the value format is
-# "192.168.0.10,192.168.0.100,255.255.255.0" the last being an optional netmask.
-#ironic_dnsmasq_dhcp_range:
+# The following value must be set when enabling ironic, the value format is a
+# list of ranges - at least one must be configured, for example:
+# - range: 192.168.0.10,192.168.0.100
+# See Kolla Ansible docs on Ironic for details.
+#ironic_dnsmasq_dhcp_ranges:
 # PXE bootloader file for Ironic Inspector, relative to /var/lib/ironic/tftpboot.
 #ironic_dnsmasq_boot_file: "pxelinux.0"
 
diff --git a/releasenotes/notes/ironic-inspector-multiple-ranges-b7c734d38b90c331.yaml b/releasenotes/notes/ironic-inspector-multiple-ranges-b7c734d38b90c331.yaml
new file mode 100644
index 0000000000..ac1768b13e
--- /dev/null
+++ b/releasenotes/notes/ironic-inspector-multiple-ranges-b7c734d38b90c331.yaml
@@ -0,0 +1,26 @@
+---
+features:
+  - |
+    Adds support for multiple DHCP ranges in the Ironic Inspector DHCP server.
+
+upgrade:
+  - |
+    Modifies the default lease time of the Ironic Inspector DHCP server to 10
+    minutes. This is small enough to use small pools of IP addresses for
+    inspection but gives more room for the inspection to succeed.
+    This default can be changed globally via
+    ``ironic_dnsmasq_dhcp_default_lease_time`` variable or per range via
+    ``lease_time`` parameter.
+  - |
+    Replace usage of ``ironic_dnsmasq_dhcp_range`` together with
+    ``ironic_dnsmasq_default_gateway`` to ``ironic_dnsmasq_dhcp_ranges``.
+    For example, if you have::
+
+      ironic_dnsmasq_dhcp_range: "10.42.0.2,10.42.0.254,255.255.255.0"
+      ironic_dnsmasq_default_gateway: "10.42.0.1"
+
+    replace it with::
+
+      ironic_dnsmasq_dhcp_ranges:
+        - range: "10.42.0.2,10.42.0.254,255.255.255.0"
+          routers: "10.42.0.1"
diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2
index 4cef1db833..a566a9af0b 100644
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -99,7 +99,8 @@ enable_aodh: "yes"
 
 {% if scenario == "ironic" %}
 enable_ironic: "yes"
-ironic_dnsmasq_dhcp_range: "10.42.0.2,10.42.0.254,255.255.255.0"
+ironic_dnsmasq_dhcp_ranges:
+  - range: "10.42.0.2,10.42.0.254,255.255.255.0"
 {% endif %}
 
 {% if scenario == "masakari" %}