tripleo-heat-templates/deployment/ironic/ironic-inspector-container-puppet.yaml
Cédric Jeanneret ae5fa916f7 Enable CAP_AUDIT_WRITE for some containers/steps
Usually, db_sync involves call to "sudo". Such call are now logging a
warning/error in the host log due to a recently removed capability in
podman, the CAP_AUDIT_WRITE. This capability allows containers to write
in the audit log whenever there's a security related thing.

Sudo isn't the only one needing this access - sshd also writes in the
audit. Since the nova-migration-target runs sshd, enabling the
capability in there will ensure we're keeping clean track of the
accesses.

Change-Id: I8972b16254b141e7102ea87cb6c0d489d8426751
Closes-Bug: #1991219
2022-10-03 13:31:59 +02:00

628 lines
27 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Ironic Inspector service (EXPERIMENTAL)
parameters:
ContainerIronicInspectorImage:
description: image
type: string
tags:
- role_specific
ContainerIronicInspectorConfigImage:
description: The container image to use for the ironic_inspector config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
IPAImageURLs:
default: []
description: IPA image URLs, the format should be ["http://path/to/kernel", "http://path/to/ramdisk"]
type: json
MonitoringSubscriptionIronicInspector:
default: 'overcloud-ironic-inspector'
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
IronicInspectorDiscoveryDefaultDriver:
default: 'ipmi'
description: |
The default driver to use for newly discovered nodes
(requires IronicInspectorEnableNodeDiscovery set to True). This
driver is automatically added to enabled_drivers.
type: string
IronicInspectorEnableNodeDiscovery:
default: false
description: |
Makes ironic-inspector enroll any unknown node that PXE-boots
introspection ramdisk in Ironic. The default driver to use for new nodes
is specified by the IronicInspectorDiscoveryDefaultDriver parameter.
Introspection rules can also be used to specify it.
type: boolean
IronicInspectorCollectors:
default: default,logs
description: Comma-separated list of IPA inspection collectors
type: string
IronicInspectorExtraProcessingHooks:
default: extra_hardware,lldp_basic,local_link_connection,physnet_cidr_map
description: |
Comma-separated list of processing hooks to append to the default list.
type: string
IronicInspectorInterface:
default: br-ex
description: |
Network interface on which inspection dnsmasq will listen. Should allow
access to untagged traffic from nodes booted for inspection. The default
value only makes sense if you don't modify any networking configuration.
type: string
IronicInspectorIPXEEnabled:
default: true
description: Whether to use iPXE for inspection.
type: boolean
IronicInspectorKernelArgs:
default: 'ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 ipa-debug=1'
description: Kernel args for the Ironic inspector.
type: string
IronicInspectorIpRange:
description: |
DEPRECATED: Use IronicInspectorSubnets instead.
Temporary IP range that will be given to nodes during the inspection
process. This should not overlap with any range that Neutron's DHCP
gives away, but it has to be routeable back to ironic-inspector API.
This option has no meaningful defaults, and thus is required.
type: string
default: ''
IronicInspectorSubnets:
description: |
Temporary IP ranges that will be given to nodes during the inspection
process. This should not overlap with any range that Neutron's DHCP
gives away, but they need to be routeable back to ironic-inspector API.
This option has no meaningful defaults, and thus is required.
List of dictionaries with keys: 'tag', 'ip_range', 'netmask', and
'gateway'. 'ip_range' is the only required key. Assigning multiple
tagged subnets allow dnsmasq to serve dhcp request that came in via
dhcp relay/helper.
Example: - ip_range: 192.168.0.100,192.168.0.120
- ip_range: 192.168.1.100,192.168.1.200
netmask: 255.255.255.0
gateway: 192.168.1.254
tag: subnet1
NOTE: For HA deployments use disjoint address pools to avoid potential
address conflict. Use the hostname (short form) of each instance
that will run Ironic Inspector and define a dictionary with the
disjoint ip ranges.
Example HA deployment using disjoint address pools:
overcloud-ironic-0:
- ip_range: 192.168.24.100,192.168.24.119
- ip_range: 192.168.25.100,192.168.25.119
netmask: 255.255.255.0
gateway: 192.168.25.254
tag: subnet1
overcloud-ironic-1:
- ip_range: 192.168.24.120,192.168.24.139
- ip_range: 192.168.25.120,192.168.25.139
netmask: 255.255.255.0
gateway: 192.168.25.254
tag: subnet1
type: json
default: {}
IronicInspectorUseSwift:
default: true
description: |
DEPRECATED: Use IronicInspectorStorageBackend instead.
Whether to use Swift for storing introspection data.
type: boolean
IronicInspectorStorageBackend:
default: 'none'
description: Storage backend for storing introspection data.
type: string
constraints:
- allowed_values: ['none', 'swift', 'database']
IronicIPXEPort:
default: 8088
description: Port to use for serving images when iPXE is used.
type: number
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
AdditionalArchitectures:
default: []
description: List of additional architectures to enable.
type: comma_delimited_list
PortPhysnetCidrMap:
default: {}
description: |
Mapping of IP subnet CIDR to physical network. When the physnet_cidr_map
processing hook is enabled the physical_network property of baremetal
ports is populated based on this mapping.
Example:
PortPhysnetCidrMap:
'10.10.10.0/24': 'physnet_a'
'2001:db8::/64': 'physnet_b'
type: json
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: 'keystone'
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
type: string
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
hidden: True
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- IronicInspectorIpRange
- IronicInspectorUseSwift
conditions:
use_swift:
or:
- {get_param: IronicInspectorUseSwift}
- equals: [{get_param: IronicInspectorStorageBackend}, 'swift']
ironic_inspection_subnets_set:
not: {equals : [{get_param: IronicInspectorSubnets}, {}]}
enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]}
ipa_images: {not: {equals: [{get_param: IPAImageURLs}, []]}}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_http_basic:
equals: [{get_param: IronicAuthStrategy}, 'http_basic']
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerIronicInspectorImage: ContainerIronicInspectorImage
ContainerIronicInspectorConfigImage: ContainerIronicInspectorConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerIronicInspectorImage: {get_param: ContainerIronicInspectorImage}
ContainerIronicInspectorConfigImage: {get_param: ContainerIronicInspectorConfigImage}
outputs:
role_data:
description: Role data for the Ironic Inspector role.
value:
service_name: ironic_inspector
firewall_rules:
'137 ironic-inspector':
dport:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'137 ironic-inspector dhcpv6 input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv6'
proto: 'udp'
chain: 'INPUT'
dport: 547
'137 ironic-inspector dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'137 ironic-inspector dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
firewall_frontend_rules:
'100 ironic-inspector_haproxy_frontend':
dport:
- 5050
firewall_ssl_frontend_rules:
'100 ironic-inspector_haproxy_frontend_ssl':
dport:
- 13050
keystone_resources:
ironic-inspector:
endpoints:
public: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
internal: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
admin: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
users:
ironic-inspector:
password: {get_param: IronicPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'baremetal-introspection'
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
- ironic::inspector::listen_address:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
ironic::inspector::dnsmasq_local_ip:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
tripleo::profile::base::ironic_inspector::inspection_subnets:
if:
- ironic_inspection_subnets_set
- get_param: IronicInspectorSubnets
- [{ip_range: {get_param: IronicInspectorIpRange}}]
ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
ironic::inspector::auth_strategy: {get_param: IronicAuthStrategy}
ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
ironic::inspector::pxe_filter::dnsmasq::purge_dhcp_hostsdir: false
ironic::inspector::pxe_filter::driver: dnsmasq
ironic::inspector::logging::debug: {get_param: Debug}
ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri, uri_no_suffix] }
ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::inspector::authtoken::username: 'ironic'
ironic::inspector::authtoken::password: {get_param: IronicPassword}
ironic::inspector::authtoken::project_name: 'service'
ironic::inspector::authtoken::user_domain_name: 'Default'
ironic::inspector::authtoken::project_domain_name: 'Default'
ironic::inspector::authtoken::region_name: {get_param: KeystoneRegion}
ironic::inspector::authtoken::interface: 'internal'
ironic::inspector::cors::allowed_origin: '*'
ironic::inspector::cors::max_age: 3600
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
ironic::inspector::ipxe_timeout: 60
ironic::inspector::ironic::username: 'ironic'
ironic::inspector::ironic::password: {get_param: IronicPassword}
ironic::inspector::ironic::project_name: 'service'
ironic::inspector::ironic::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::inspector::ironic::max_retries: 6
ironic::inspector::ironic::retry_interval: 10
ironic::inspector::ironic::user_domain_name: 'Default'
ironic::inspector::ironic::project_domain_name: 'Default'
ironic::inspector::ironic::region_name: {get_param: KeystoneRegion}
ironic::inspector::http_port: {get_param: IronicIPXEPort}
ironic::inspector::additional_processing_hooks: {get_param: IronicInspectorExtraProcessingHooks}
ironic::inspector::ramdisk_collectors: {get_param: IronicInspectorCollectors}
ironic::inspector::ramdisk_kernel_args: {get_param: IronicInspectorKernelArgs}
ironic::inspector::port_physnet_cidr_map: {get_param: PortPhysnetCidrMap}
ironic::inspector::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: ironic-inspector
password: {get_param: IronicPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /ironic-inspector
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: ironic_inspector
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
ironic::inspector::sync_db: false
ironic::inspector::enable_ppc64le:
if:
- enable_architecture_ppc64le
- true
ironic::inspector::pxe_transfer_protocol:
if:
- {get_param: IronicInspectorIPXEEnabled}
- 'http'
- if:
- auth_strategy_non_default
- ironic::inspector::ironic::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::inspector::ironic::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
- if:
- use_swift
- ironic::inspector::store_data: 'swift'
ironic::inspector::swift::username: 'ironic'
ironic::inspector::swift::password: {get_param: IronicPassword}
ironic::inspector::swift::project_name: 'service'
ironic::inspector::swift::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::inspector::swift::user_domain_name: 'Default'
ironic::inspector::swift::project_domain_name: 'Default'
ironic::inspector::swift::region_name: {get_param: KeystoneRegion}
- ironic::inspector::store_data: {get_param: IronicInspectorStorageBackend}
- if:
- {get_param: IronicInspectorEnableNodeDiscovery}
- ironic::inspector::node_not_found_hook: 'enroll'
ironic::inspector::discovery_default_driver: {get_param: IronicInspectorDiscoveryDefaultDriver}
# Match what we do for Ironic containers
- ironic::inspector::tftp_root: /var/lib/ironic/tftpboot
ironic::inspector::http_root: /var/lib/ironic/httpboot
service_config_settings:
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector
ironic::inspector::db::mysql::host: '%'
ironic::inspector::db::mysql::dbname: ironic-inspector
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic_inspector
puppet_tags: ironic_inspector_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::ironic_inspector
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerIronicInspectorConfigImage]}
volumes:
- /var/lib/ironic:/var/lib/ironic:z
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:z
kolla_config:
/var/lib/kolla/config_files/ironic_inspector.json:
command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector.conf
config_files: &ironic_inspector_config_files
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/ironic-inspector
owner: ironic-inspector:ironic-inspector
recurse: true
- path: /var/lib/ironic
owner: ironic:ironic
recurse: true
- path: /var/lib/ironic-inspector/dhcp-hostsdir
owner: ironic-inspector:ironic-inspector
recurse: true
/var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/lib/ironic-inspector/dhcp-hostsdir
owner: ironic-inspector:ironic-inspector
recurse: true
command: /sbin/dnsmasq --conf-file=/etc/ironic-inspector/dnsmasq.conf -k --log-facility=/var/log/ironic-inspector/dnsmasq.log
/var/lib/kolla/config_files/ironic_inspector_db_sync.json:
command: "/usr/bin/bootstrap_host_exec ironic_inspector su ironic-inspector -s /bin/bash -c 'ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade'"
config_files: *ironic_inspector_config_files
permissions:
- path: /var/log/ironic-inspector
owner: ironic-inspector:ironic-inspector
recurse: true
docker_config:
step_3:
ironic_inspector_init_log:
start_order: 0
image: &ironic_inspector_image
get_attr: [RoleParametersValue, value, ContainerIronicInspectorImage]
net: none
user: root
volumes:
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector']
ironic_inspector_init_dnsmasq_dhcp_hostsdir:
start_order: 1
image: *ironic_inspector_image
net: none
user: root
volumes:
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z
command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir']
ironic_inspector_db_sync:
start_order: 2
image: *ironic_inspector_image
cap_add:
- AUDIT_WRITE
net: host
user: root
privileged: false
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/ironic_inspector_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
ironic_inspector_get_ipa:
start_order: 2
image: *ironic_inspector_image
net: host
user: root
privileged: false
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/ironic:/var/lib/ironic:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
command:
if:
- ipa_images
- list_join:
- " "
- - "curl -g -o /var/lib/ironic/httpboot/agent.kernel"
- {get_param: [IPAImageURLs, 0]}
- "-o /var/lib/ironic/httpboot/agent.ramdisk"
- {get_param: [IPAImageURLs, 1]}
- 'true'
step_4:
ironic_inspector:
start_order: 92
image: *ironic_inspector_image
privileged: true
net: host
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro
- /var/lib/ironic:/var/lib/ironic:shared,z
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z
- if:
- auth_strategy_http_basic
- - /etc/ironic_inspector_passwd:/etc/ironic-inspector/htpasswd:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
ironic_inspector_dnsmasq:
start_order: 93
image: *ironic_inspector_image
privileged: true
net: host
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic_inspector:/var/lib/kolla/config_files/src:ro
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create fcontext entry for ironic-inspector data
community.general.sefcontext:
target: "/var/lib/ironic-inspector/dhcp-hostsdir(/.*)?"
setype: container_file_t
state: present
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic-inspector/dhcp-hostsdir, 'setype': container_file_t }
- name: create password file when auth_strategy is 'http_basic'
vars:
is_http_basic:
if:
- auth_strategy_http_basic
- true
- false
copy:
dest: /etc/ironic_inspector_passwd
content:
str_replace:
template: |
admin:{{'$ADMIN_PASSWORD' | password_hash('bcrypt')}}
ironic-inspector:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$ADMIN_PASSWORD: {get_param: AdminPassword}
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_http_basic | bool
- name: create persistent ironic-inspector dnsmasq dhcp hostsdir
file:
path: /var/lib/ironic-inspector/dhcp-hostsdir
state: directory
setype: container_file_t
upgrade_tasks: []
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop ironic inspector container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- ironic_inspector
- ironic_inspector_dnsmasq
tripleo_delegate_to: "{{ groups['ironic_inspector'] | difference(groups['excluded_overcloud']) }}"