a1a2048d47
Modify both the inspector and dnsmasq containers for the inspector to be able to modify dnsmasq configuration on the fly to filter the dhcp traffic. The upgrade_tasks moved to the puppet service in order to be shared between both the containerised and regular deployment. The upgrade_tasks were amended with steps to clean-up the iptables inspector chain&rules. With inspector no longer managing iptables rules, create new rules to allow DHCP traffic on IronicInspectorInterface. Co-Authored-By: Harald Jensås <hjensas@redhat.com> Change-Id: Ic7e32acb8559a7a12cd8767dc68c343872a6a4e3 Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
270 lines
12 KiB
YAML
270 lines
12 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL)
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
MonitoringSubscriptionIronicInspector:
|
|
default: 'overcloud-ironic-inspector'
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
IronicInspectorDiscoveryDefaultDriver:
|
|
default: 'ipmi'
|
|
description: |
|
|
The default driver to use for newly discovered nodes
|
|
(requires IronicInspectorEnableNodeDiscovery set to True). This
|
|
driver is automatically added to enabled_drivers.
|
|
type: string
|
|
IronicInspectorEnableNodeDiscovery:
|
|
default: false
|
|
description: |
|
|
Makes ironic-inspector enroll any unknown node that PXE-boots
|
|
introspection ramdisk in Ironic. The default driver to use for new nodes
|
|
is specified by the IronicInspectorDiscoveryDefaultDriver parameter.
|
|
Introspection rules can also be used to specify it.
|
|
type: boolean
|
|
IronicInspectorCollectors:
|
|
default: default,logs
|
|
description: Comma-separated list of IPA inspection collectors
|
|
type: string
|
|
IronicInspectorExtraProcessingHooks:
|
|
default: extra_hardware,lldp_basic,local_link_connection
|
|
description: |
|
|
Comma-separated list of processing hooks to append to the default list.
|
|
type: string
|
|
IronicInspectorInterface:
|
|
default: br-ex
|
|
description: |
|
|
Network interface on which inspection dnsmasq will listen. Should allow
|
|
access to untagged traffic from nodes booted for inspection. The default
|
|
value only makes sense if you don't modify any networking configuration.
|
|
type: string
|
|
IronicInspectorIPXEEnabled:
|
|
default: true
|
|
description: Whether to use iPXE for inspection.
|
|
type: boolean
|
|
IronicInspectorKernelArgs:
|
|
default: 'ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 ipa-debug=1'
|
|
description: Kernel args for the Ironic inspector.
|
|
type: string
|
|
IronicInspectorIpRange:
|
|
description: |
|
|
DEPRECATED: Use IronicInspectorSubnets instead.
|
|
Temporary IP range that will be given to nodes during the inspection
|
|
process. This should not overlap with any range that Neutron's DHCP
|
|
gives away, but it has to be routeable back to ironic-inspector API.
|
|
This option has no meaningful defaults, and thus is required.
|
|
type: string
|
|
default: ''
|
|
IronicInspectorSubnets:
|
|
description: |
|
|
Temporary IP ranges that will be given to nodes during the inspection
|
|
process. This should not overlap with any range that Neutron's DHCP
|
|
gives away, but they need to be routeable back to ironic-inspector API.
|
|
This option has no meaningful defaults, and thus is required.
|
|
|
|
List of dictionaries with keys: 'tag', 'ip_range', 'netmask', and
|
|
'gateway'. 'ip_range' is the only required key. Assigning multiple
|
|
tagged subnets allow dnsmasq to serve dhcp request that came in via
|
|
dhcp relay/helper.
|
|
|
|
Example: - ip_range: 192.168.0.100,192.168.0.120
|
|
- ip_range: 192.168.1.100,192.168.1.200
|
|
netmask: 255.255.255.0
|
|
gateway: 192.168.1.254
|
|
tag: subnet1
|
|
type: json
|
|
default: {}
|
|
IronicInspectorUseSwift:
|
|
default: true
|
|
description: Whether to use Swift for storing introspection data.
|
|
type: boolean
|
|
IronicIPXEPort:
|
|
default: 8088
|
|
description: Port to use for serving images when iPXE is used.
|
|
type: string
|
|
IronicPassword:
|
|
description: The password for the Ironic service and db account, used by the Ironic services
|
|
type: string
|
|
hidden: true
|
|
|
|
conditions:
|
|
enable_ipxe: {equals : [{get_param: IronicInspectorIPXEEnabled}, true]}
|
|
use_swift: {equals : [{get_param: IronicInspectorUseSwift}, true]}
|
|
enable_node_discovery: {equals : [{get_param: IronicInspectorEnableNodeDiscovery}, true]}
|
|
ironic_inspection_subnets_not_set: {equals : [{get_param: IronicInspectorSubnets}, {}]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Ironic Inspector role.
|
|
value:
|
|
service_name: ironic_inspector
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
|
|
config_settings:
|
|
map_merge:
|
|
- ironic::inspector::listen_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
|
|
ironic::inspector::dnsmasq_local_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
|
|
ironic::inspector::dnsmasq_ip_subnets:
|
|
if:
|
|
- ironic_inspection_subnets_not_set
|
|
- [{ip_range: {get_param: IronicInspectorIpRange}}]
|
|
- get_param: IronicInspectorSubnets
|
|
ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
|
|
ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
|
|
ironic::inspector::pxe_filter::driver: dnsmasq
|
|
ironic::inspector::debug: {get_param: Debug}
|
|
ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
|
|
ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
|
ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
ironic::inspector::authtoken::username: 'ironic'
|
|
ironic::inspector::authtoken::password: {get_param: IronicPassword}
|
|
ironic::inspector::authtoken::project_name: 'service'
|
|
ironic::inspector::authtoken::user_domain_name: 'Default'
|
|
ironic::inspector::authtoken::project_domain_name: 'Default'
|
|
ironic::inspector::cors::allowed_origin: '*'
|
|
ironic::inspector::cors::max_age: 3600
|
|
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
|
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
|
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
|
tripleo.ironic_inspector.firewall_rules:
|
|
'137 ironic-inspector':
|
|
dport:
|
|
- 5050
|
|
'137 ironic-inspector dhcp input':
|
|
iniface: {get_param: IronicInspectorInterface}
|
|
proto: 'udp'
|
|
chain: 'INPUT'
|
|
dport: 67
|
|
'137 ironic-inspector dhcp output':
|
|
proto: 'udp'
|
|
chain: 'OUTPUT'
|
|
dport: 68
|
|
ironic::inspector::ironic_username: 'ironic'
|
|
ironic::inspector::ironic_password: {get_param: IronicPassword}
|
|
ironic::inspector::ironic_tenant_name: 'service'
|
|
ironic::inspector::ironic_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
ironic::inspector::ipxe_timeout: 60
|
|
ironic::inspector::ironic_max_retries: 6
|
|
ironic::inspector::ironic_retry_interval: 10
|
|
ironic::inspector::ironic_user_domain_name: 'Default'
|
|
ironic::inspector::ironic_project_domain_name: 'Default'
|
|
ironic::inspector::http_port: {get_param: IronicIPXEPort}
|
|
ironic::inspector::additional_processing_hooks: {get_param: IronicInspectorExtraProcessingHooks}
|
|
ironic::inspector::ramdisk_collectors: {get_param: IronicInspectorCollectors}
|
|
ironic::inspector::ramdisk_kernel_args: {get_param: IronicInspectorKernelArgs}
|
|
ironic::inspector::db::database_connection:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
- '://ironic-inspector:'
|
|
- {get_param: IronicPassword}
|
|
- '@'
|
|
- {get_param: [EndpointMap, MysqlInternal, host]}
|
|
- '/ironic-inspector'
|
|
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
|
|
-
|
|
if:
|
|
- enable_ipxe
|
|
- ironic::inspector::pxe_transfer_protocol: 'http'
|
|
- {}
|
|
-
|
|
if:
|
|
- use_swift
|
|
- ironic::inspector::store_data: 'swift'
|
|
ironic::inspector::swift_username: 'ironic'
|
|
ironic::inspector::swift_password: {get_param: IronicPassword}
|
|
ironic::inspector::swift_tenant_name: 'service'
|
|
ironic::inspector::swift_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
ironic::inspector::swift_user_domain_name: 'Default'
|
|
ironic::inspector::swift_project_domain_name: 'Default'
|
|
- {}
|
|
-
|
|
if:
|
|
- enable_node_discovery
|
|
- ironic::inspector::node_not_found_hook: 'enroll'
|
|
ironic::inspector::discovery_default_driver: {get_param: IronicInspectorDiscoveryDefaultDriver}
|
|
- {}
|
|
step_config: |
|
|
include ::tripleo::profile::base::ironic_inspector
|
|
service_config_settings:
|
|
keystone:
|
|
ironic::keystone::auth_inspector::tenant: 'service'
|
|
ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
|
|
ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
|
|
ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
|
|
ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
|
|
ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
|
|
mysql:
|
|
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
|
|
ironic::inspector::db::mysql::user: ironic-inspector
|
|
ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
ironic::inspector::db::mysql::dbname: ironic-inspector
|
|
ironic::inspector::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
upgrade_tasks:
|
|
- name: Stop and disable ironic_inspector service
|
|
when: step|int == 2
|
|
service: name=openstack-ironic-inspector state=stopped enabled=no
|
|
- name: Stop and disable ironic_inspector dnsmasq service
|
|
when: step|int == 2
|
|
service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no
|
|
- name: purge iptables port 67 jump rule
|
|
when: step|int == 2
|
|
iptables:
|
|
chain: INPUT
|
|
interface: {get_param: IronicInspectorInterface}
|
|
protocol: udp
|
|
destination_port: 67
|
|
jump: ironic-inspector
|
|
state: absent
|
|
- name: purge iptables ironic-inspector chain
|
|
when: step|int == 2
|
|
iptables:
|
|
chain: ironic-inspector
|
|
flush: true
|
|
state: absent
|