tripleo-heat-templates/deployment/ironic/ironic-conductor-container-puppet.yaml
Harald Jensås bd13adefd1 Add parameter IronicIPXEUefiSnpOnly
Add new parameter IronicIPXEUefiSnpOnly (default: true).
When `true` ipxe-snponly.efi is used for UEFI, when `false` ipxe.efi
is used.

'snponly.efi' is the default in puppet-ironic master branch, however
in Wallaby and earlier releases 'ipxe.efi' is the default. Since
'ipxe.efi' is not compatible with a lot of hardware TripleO should
change this default.

Related: RHBZ#2049179
Closes-Bug: 1959726
Change-Id: I8ee338c3f3e20f1826d98efb38d3b21fefda5031
2022-02-02 22:45:54 +00:00

767 lines
35 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Ironic Conductor service
parameters:
ContainerIronicConductorImage:
description: image
type: string
tags:
- role_specific
ContainerIronicConfigImage:
description: The container image to use for the ironic config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
IronicConfigureSwiftTempUrlKey:
default: true
description: Whether to configure Swift temporary URLs for use with
the "direct" and "ansible" deploy interfaces.
type: boolean
IronicAutomatedClean:
default: true
description: Enables or disables automated cleaning which may result in
security problems and deployment failures on rebuilds.
Do not set to False, unless you really know what you are doing.
type: boolean
IronicCleaningDiskErase:
default: 'full'
description: Type of disk cleaning before and between deployments,
"full" for full cleaning, "metadata" to clean only disk
metadata (partition table).
type: string
IronicCleaningNetwork:
default: 'provisioning'
description: Name or UUID of the *overcloud* network used for cleaning
bare metal nodes. The default value of "provisioning" can be
left during the initial deployment (when no networks are
created yet) and should be changed to an actual UUID in
a post-deployment stack update.
type: string
tags:
- role_specific
IronicDebug:
default: false
description: Set to True to enable debugging Ironic services.
type: boolean
IronicDefaultBootOption:
default: 'local'
description: How to boot the bare metal instances. Set to 'local' (the
default) to use local bootloader (requires grub2 for partition
images). Set to 'netboot' to make the instances boot from
controllers using PXE/iPXE.
type: string
IronicDefaultBootMode:
default: 'uefi'
description: Default boot mode to use when no boot mode is explicitly
requested in node's driver_info, capabilities or in the
"instance_info" configuration. One of 'bios' or 'uefi'.
type: string
IronicDefaultBootInterface:
default: ''
description: Boot interface implementation to use by default. Leave empty to
set none. This may not work if a hardware type does not support
the set boot interface. This overrides create-time defaults.
The ordered union of the enabled boot interfaces and hardware
type determines, under normal circumstances, what the default
will be.
type: string
IronicDefaultDeployInterface:
default: ''
description: Deploy interface implementation to use by default. Leave empty to
use the hardware type default.
type: string
IronicDefaultInspectInterface:
default: ''
description: Inspect interface implementation to use by default. Leave empty to
use the hardware type default.
type: string
IronicDefaultNetworkInterface:
default: 'flat'
description: Network interface implementation to use by default.
Set to "flat" (the default) to use one flat provider network.
Set to "neutron" to make Ironic interact with the Neutron
ML2 driver to enable other network types and certain
advances networking features. Requires
IronicProvisioningNetwork to be correctly set.
type: string
IronicDefaultRescueInterface:
default: 'agent'
description: Default rescue implementation to use. The "agent" rescue
requires a compatible ramdisk to be used.
type: string
IronicDeployLogsStorageBackend:
default: 'local'
description: Backend to use to store ramdisk logs, either "local"
or "swift".
type: string
IronicEnabledHardwareTypes:
default: ['ipmi', 'redfish']
description: Enabled Ironic hardware types
type: comma_delimited_list
IronicEnabledBiosInterfaces:
default: ['no-bios']
description: Enabled bios interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledBootInterfaces:
default: ['ipxe', 'pxe']
description: Enabled boot interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledConsoleInterfaces:
default: ['ipmitool-socat', 'no-console']
description: Enabled console interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledDeployInterfaces:
default: ['direct']
description: Enabled deploy interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledInspectInterfaces:
default: ['no-inspect']
description: Enabled inspect interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledManagementInterfaces:
default: ['ipmitool', 'noop', 'redfish']
description: Enabled management interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledNetworkInterfaces:
default: ['flat', 'neutron']
description: Enabled network interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledPowerInterfaces:
default: ['ipmitool', 'redfish']
description: Enabled power interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledRaidInterfaces:
default: ['no-raid', 'agent']
description: Enabled RAID interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledRescueInterfaces:
default: ['no-rescue', 'agent']
description: Enabled rescue interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledStorageInterfaces:
default: ['cinder', 'noop']
description: Enabled storage interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnabledVendorInterfaces:
default: ['ipmitool', 'no-vendor']
description: Enabled vendor interface implementations. Each hardware
type must have at least one valid implementation enabled.
type: comma_delimited_list
IronicEnableStagingDrivers:
default: false
description: Whether to enable use of staging drivers.
type: boolean
IronicImageDownloadSource:
default: http
description: Image delivery method for the "direct" deploy interface.
Use "swift" for the Object Storage temporary URLs,
use "http" for the local HTTP server (the same as for iPXE).
type: string
IronicIPXEEnabled:
default: false
description: DEPRECATED, boot interfaces are specified on a per-node basis
type: boolean
IronicIPXEPort:
default: 8088
description: Port to use for serving images when iPXE is used.
type: string
IronicIPXETimeout:
default: 60
description: iPXE timeout in second. Set to 0 for infinite timeout.
type: string
IronicPowerStateChangeTimeout:
default: 60
description: Number of seconds to wait for power operations to
complete, i.e., so that a baremetal node is in the
desired power state. If timed out, the power operation
is considered a failure.
type: string
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
IronicProvisioningNetwork:
default: 'provisioning'
description: Name or UUID of the *overcloud* network used for provisioning
of bare metal nodes, if IronicDefaultNetworkInterface is
set to "neutron". The default value of "provisioning" can be
left during the initial deployment (when no networks are
created yet) and should be changed to an actual UUID in
a post-deployment stack update.
type: string
tags:
- role_specific
IronicRescuingNetwork:
default: 'provisioning'
description: Name or UUID of the *overcloud* network used for resucing
of bare metal nodes, if IronicDefaultRescueInterface is not
set to "no-rescue". The default value of "provisioning" can be
left during the initial deployment (when no networks are
created yet) and should be changed to an actual UUID in
a post-deployment stack update.
type: string
tags:
- role_specific
IronicForcePowerStateDuringSync:
default: true
description: Whether to force power state during sync.
type: boolean
IronicConductorGroup:
description: The name of an Ironic Conductor Group.
default: ''
type: string
tags:
- role_specific
constraints:
- allowed_pattern: '^[a-zA-Z0-9_\-\.]*$'
MonitoringSubscriptionIronicConductor:
default: 'overcloud-ironic-conductor'
type: string
AdditionalArchitectures:
default: []
description: List of additional architectures to enable.
type: comma_delimited_list
IronicIpVersion:
default: 4
description: DEPRECATED, The IP version that will be used for PXE booting.
type: string
IronicDhcpv6StatefulAddressCount:
default: 4
description: Number of IPv6 addresses to allocate for ports created for
provisioning, cleaning, rescue or inspection on DHCPv6-stateful
networks. Different stages of the chain-loading process will
request addresses with different CLID/IAID. Due to non-
identical identifiers multiple addresses must be reserved for
the host to ensure each step of the boot process can
successfully lease addresses.
type: string
IronicAuthStrategy:
type: string
description: Auth strategy to use with ironic.
default: keystone
constraints:
- allowed_values: ['keystone', 'http_basic', 'noauth']
NeutronAuthStrategy:
type: string
description: Auth strategy to use with neutron.
default: keystone
constraints:
- allowed_values: ['keystone', 'noauth', 'http_basic']
IronicRpcTransport:
description: The remote procedure call transport between conductor and
API processes, such as a messaging broker or JSON RPC.
default: 'oslo'
type: string
constraints:
- allowed_values: ['oslo', 'json-rpc']
IronicIPXEUefiSnpOnly:
type: boolean
description: Wheater to use SNP (Simple Network Protocol) iPXE EFI, or not.
When set to true `ipxe-snponly` EFI is used.
default: true
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
Openstack mailing list.
parameters:
- IronicIPXEEnabled
- IronicIpVersion
conditions:
default_boot_interface_set:
not: {equals : [{get_param: IronicDefaultBootInterface}, '']}
default_deploy_interface_set:
not: {equals : [{get_param: IronicDefaultDeployInterface}, '']}
default_inspect_interface_set:
not: {equals : [{get_param: IronicDefaultInspectInterface}, '']}
service_debug:
or:
- {get_param: IronicDebug}
- {get_param: Debug}
enable_architecture_ppc64le: {contains: ['ppc64le', {get_param: AdditionalArchitectures}]}
ironic_conductor_group:
or:
- not: {equals: [{get_param: IronicConductorGroup}, '']}
- not: {equals: [{get_param: [RoleParameters, IronicConductorGroup]}, '']}
auth_strategy_non_default:
contains: [{get_param: IronicAuthStrategy}, ['noauth', 'http_basic']]
auth_strategy_noauth:
equals: [{get_param: IronicAuthStrategy}, 'noauth']
neutron_noauth:
equals: [{get_param: NeutronAuthStrategy}, 'noauth']
neutron_auth_non_default:
contains: [{get_param: NeutronAuthStrategy}, ['noauth', 'http_basic']]
rpc_transport_json_rpc:
{equals : [{get_param: IronicRpcTransport}, 'json-rpc']}
json_rpc_with_http_basic:
and:
- rpc_transport_json_rpc
- equals: [{get_param: IronicAuthStrategy}, 'http_basic']
resources:
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- map_merge:
- if:
- ironic_conductor_group
- ironic::conductor::conductor_group: IronicConductorGroup
- {}
- ironic::conductor::cleaning_network: IronicCleaningNetwork
ironic::conductor::provisioning_network: IronicProvisioningNetwork
ironic::conductor::rescuing_network: IronicRescuingNetwork
ContainerIronicConductorImage: ContainerIronicConductorImage
ContainerIronicConfigImage: ContainerIronicConfigImage
- values: {get_param: [RoleParameters]}
- values:
IronicConductorGroup: {get_param: IronicConductorGroup}
IronicProvisioningNetwork: {get_param: IronicProvisioningNetwork}
IronicCleaningNetwork: {get_param: IronicCleaningNetwork}
IronicRescuingNetwork: {get_param: IronicRescuingNetwork}
ContainerIronicConductorImage: {get_param: ContainerIronicConductorImage}
ContainerIronicConfigImage: {get_param: ContainerIronicConfigImage}
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
IronicBase:
type: ./ironic-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
Debug: {get_param: Debug}
IronicDebug: {get_param: IronicDebug}
outputs:
role_data:
description: Role data for the Ironic Conductor role.
value:
service_name: ironic_conductor
firewall_rules:
'134 ironic conductor TFTP':
dport: 69
proto: udp
'135 ironic conductor HTTP':
dport: {get_param: IronicIPXEPort}
monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
config_settings:
map_merge:
- get_attr: [IronicBase, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
- if:
- default_deploy_interface_set
- ironic::drivers::interfaces::default_deploy_interface: {get_param: IronicDefaultDeployInterface}
- if:
- default_boot_interface_set
- ironic::drivers::interfaces::default_boot_interface: {get_param: IronicDefaultBootInterface}
- if:
- default_inspect_interface_set
- ironic::drivers::interfaces::default_inspect_interface: {get_param: IronicDefaultInspectInterface}
- if:
- enable_architecture_ppc64le
- ironic::pxe::enable_ppc64le: true
ironic::drivers::ipmi::command_retry_timeout: 120
ironic::drivers::ipmi::min_command_interval: 15
- if:
- rpc_transport_json_rpc
- ironic::json_rpc::auth_strategy: {get_param: IronicAuthStrategy}
ironic::api::authtoken::password: {get_param: IronicPassword}
ironic::api::authtoken::project_name: 'service'
ironic::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::api::authtoken::region_name: {get_param: KeystoneRegion}
ironic::api::authtoken::interface: 'internal'
- ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase}
ironic::conductor::default_boot_option: {get_param: IronicDefaultBootOption}
ironic::conductor::default_boot_mode: {get_param: IronicDefaultBootMode}
ironic::drivers::ilo::default_boot_mode: {get_param: IronicDefaultBootMode}
ironic::conductor::automated_clean: {get_param: IronicAutomatedClean}
ironic::conductor::enabled_hardware_types: {get_param: IronicEnabledHardwareTypes}
ironic::conductor::force_power_state_during_sync: {get_param: IronicForcePowerStateDuringSync}
ironic::conductor::allow_provisioning_in_maintenance: false
ironic::conductor::power_state_change_timeout: {get_param: IronicPowerStateChangeTimeout}
# We need an endpoint containing a real IP, not a VIP here
ironic_conductor_http_host:
str_replace:
template:
"%{hiera('$NETWORK_uri')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicNetwork]}
ironic::conductor::http_url:
list_join:
- ''
- - 'http://'
- "%{hiera('ironic_conductor_http_host')}:"
- {get_param: IronicIPXEPort}
ironic::drivers::pxe::ipxe_timeout: {get_param: IronicIPXETimeout}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
ironic::drivers::pxe::tftp_server:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicNetwork]}
ironic::pxe::tftp_bind_host:
str_replace:
template:
"%{hiera('$NETWORK_uri')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicNetwork]}
ironic::drivers::agent::deploy_logs_storage_backend: {get_param: IronicDeployLogsStorageBackend}
ironic::drivers::agent::deploy_logs_local_path: '/var/log/ironic/deploy/'
ironic::drivers::agent::deploy_logs_collect:
if:
- service_debug
- 'always'
- 'on_failure'
ironic::drivers::agent::image_download_source: {get_param: IronicImageDownloadSource}
ironic::drivers::interfaces::enabled_bios_interfaces: {get_param: IronicEnabledBiosInterfaces}
ironic::drivers::interfaces::enabled_boot_interfaces: {get_param: IronicEnabledBootInterfaces}
ironic::drivers::interfaces::enabled_console_interfaces: {get_param: IronicEnabledConsoleInterfaces}
ironic::drivers::interfaces::enabled_deploy_interfaces: {get_param: IronicEnabledDeployInterfaces}
ironic::drivers::interfaces::enabled_inspect_interfaces: {get_param: IronicEnabledInspectInterfaces}
ironic::drivers::interfaces::enabled_management_interfaces: {get_param: IronicEnabledManagementInterfaces}
ironic::drivers::interfaces::enabled_network_interfaces: {get_param: IronicEnabledNetworkInterfaces}
ironic::drivers::interfaces::enabled_power_interfaces: {get_param: IronicEnabledPowerInterfaces}
ironic::drivers::interfaces::enabled_raid_interfaces: {get_param: IronicEnabledRaidInterfaces}
ironic::drivers::interfaces::enabled_rescue_interfaces: {get_param: IronicEnabledRescueInterfaces}
ironic::drivers::interfaces::enabled_storage_interfaces: {get_param: IronicEnabledStorageInterfaces}
ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces}
ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface}
# NOTE(dtantsur): the my_ip parameter is heavily overloaded in
# ironic. It's used as a default value for e.g. TFTP server IP,
# glance and neutron endpoints, virtual console IP. We override
# the TFTP server IP in ironic-conductor.yaml as it should not be
# the VIP, but rather a real IP of the host.
ironic::my_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicNetwork]}
ironic::pxe::common::http_port: {get_param: IronicIPXEPort}
# Credentials to access other services
ironic::cinder::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::cinder::username: 'ironic'
ironic::cinder::password: {get_param: IronicPassword}
ironic::cinder::project_name: 'service'
ironic::cinder::user_domain_name: 'Default'
ironic::cinder::project_domain_name: 'Default'
ironic::cinder::region_name: {get_param: KeystoneRegion}
ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::glance::username: 'ironic'
ironic::glance::password: {get_param: IronicPassword}
ironic::glance::project_name: 'service'
ironic::glance::user_domain_name: 'Default'
ironic::glance::project_domain_name: 'Default'
ironic::glance::region_name: {get_param: KeystoneRegion}
ironic::neutron::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::neutron::username: 'ironic'
ironic::neutron::password: {get_param: IronicPassword}
ironic::neutron::project_name: 'service'
ironic::neutron::user_domain_name: 'Default'
ironic::neutron::project_domain_name: 'Default'
ironic::neutron::region_name: {get_param: KeystoneRegion}
ironic::neutron::dhcpv6_stateful_address_count: {get_param: IronicDhcpv6StatefulAddressCount}
ironic::service_catalog::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::service_catalog::username: 'ironic'
ironic::service_catalog::password: {get_param: IronicPassword}
ironic::service_catalog::project_name: 'service'
ironic::service_catalog::user_domain_name: 'Default'
ironic::service_catalog::project_domain_name: 'Default'
ironic::service_catalog::region_name: {get_param: KeystoneRegion}
ironic::swift::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::swift::username: 'ironic'
ironic::swift::password: {get_param: IronicPassword}
ironic::swift::project_name: 'service'
ironic::swift::user_domain_name: 'Default'
ironic::swift::project_domain_name: 'Default'
ironic::swift::region_name: {get_param: KeystoneRegion}
ironic::drivers::inspector::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::drivers::inspector::username: 'ironic'
ironic::drivers::inspector::password: {get_param: IronicPassword}
ironic::drivers::inspector::project_name: 'service'
ironic::drivers::inspector::user_domain_name: 'Default'
ironic::drivers::inspector::project_domain_name: 'Default'
ironic::drivers::inspector::region_name: {get_param: KeystoneRegion}
tripleo::profile::base::ironic::conductor::enable_staging: {get_param: IronicEnableStagingDrivers}
# to avoid hard linking errors we store these on the same
# volume/device as the ironic master_path
# https://github.com/docker/docker/issues/7457
ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot
ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images
ironic::pxe::tftp_root: /var/lib/ironic/tftpboot
ironic::pxe::http_root: /var/lib/ironic/httpboot
ironic::conductor::http_root: /var/lib/ironic/httpboot
- if:
- neutron_auth_non_default
- ironic::neutron::auth_type:
if:
- neutron_noauth
- 'none'
- {get_param: NeutronAuthStrategy}
ironic::neutron::endpoint_override: {get_param: [EndpointMap, NeutronInternal, uri_no_suffix]}
- if:
- auth_strategy_non_default
- ironic::service_catalog::auth_type:
if:
- auth_strategy_noauth
- 'none'
- {get_param: IronicAuthStrategy}
ironic::drivers::inspector::auth_type:
if:
- auth_strategy_noauth
- none
- {get_param: IronicAuthStrategy}
ironic::drivers::inspector::endpoint_override: {get_param: [EndpointMap, IronicInspectorInternal, uri_no_suffix]}
ironic::service_catalog::endpoint_override: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
- if:
- {get_param: IronicIPXEUefiSnpOnly}
- ironic::pxe::common::uefi_ipxe_bootfile_name: snponly.efi
ironic::pxe::ipxe_name_base: ipxe-snponly
- ironic::pxe::common::uefi_ipxe_bootfile_name: ipxe.efi
ironic::pxe::ipxe_name_base: ipxe
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: ironic
puppet_tags: ironic_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::ironic::conductor
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerIronicConfigImage]}
volumes:
- /var/lib/ironic:/var/lib/ironic:z
kolla_config:
/var/lib/kolla/config_files/ironic_conductor.json:
command: /usr/bin/ironic-conductor
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/lib/ironic
owner: ironic:ironic
recurse: true
- path: /var/log/ironic
owner: ironic:ironic
recurse: true
container_config_scripts:
create_swift_temp_url_key.sh:
mode: "0700"
content: |
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=$(crudini --get /etc/ironic/ironic.conf swift project_domain_name)
export OS_USER_DOMAIN_NAME=$(crudini --get /etc/ironic/ironic.conf swift user_domain_name)
export OS_PROJECT_NAME=$(crudini --get /etc/ironic/ironic.conf swift project_name)
export OS_USERNAME=$(crudini --get /etc/ironic/ironic.conf swift username)
export OS_PASSWORD=$(crudini --get /etc/ironic/ironic.conf swift password)
export OS_AUTH_URL=$(crudini --get /etc/ironic/ironic.conf swift auth_url)
export OS_INTERFACE=internal
export OS_AUTH_TYPE=password
export OS_IDENTITY_API_VERSION=3
echo "Check if a temporary URL key already exists"
RETVAL=-1
RETRIES=5
while [ ${RETVAL} -ne 0 ] && [ ${RETRIES} -gt 0 ]; do
RETRIES=$[$RETRIES-1]
CMD_OUT=$(openstack object store account show -f value)
RETVAL=$?
if [ ${RETVAL} -ne 0 ]; then
echo Retrying...
sleep 5
continue
fi
if [[ ! ${CMD_OUT} =~ "Temp-Url-Key" ]] ; then
echo "Creating a new temporary URL for project $OS_PROJECT_NAME"
SWIFT_TEMP_URL_KEY=$(uuidgen | sha1sum | awk '{print $1}')
openstack object store account set --property "Temp-URL-Key=$SWIFT_TEMP_URL_KEY"
RETVAL=$?
fi
done
docker_config:
step_4:
create_swift_temp_url_key:
if:
- {get_param: IronicConfigureSwiftTempUrlKey}
- start_order: 70
image: &ironic_conductor_image {get_attr: [RoleParametersValue, value, ContainerIronicConductorImage]}
net: host
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/config-data/puppet-generated/ironic/etc/ironic:/etc/ironic:ro
- /var/lib/container-config-scripts/create_swift_temp_url_key.sh:/create_swift_temp_url_key.sh:ro
user: root
command: "/usr/bin/bootstrap_host_exec ironic_conductor /create_swift_temp_url_key.sh"
ironic_conductor:
start_order: 80
image: *ironic_conductor_image
net: host
privileged: true
restart: always
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/ironic_conductor.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /sys:/sys
- /dev:/dev
- /run:/run #shared?
- /var/lib/ironic:/var/lib/ironic:z
- /var/log/containers/ironic:/var/log/ironic:z
- if:
- json_rpc_with_http_basic
- - /etc/ironic_conductor_passwd:/etc/ironic/htpasswd-json-rpc:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create fcontext entry for ironic data
community.general.sefcontext:
target: "/var/lib/ironic(/.*)?"
setype: container_file_t
state: present
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic, 'setype': container_file_t, 'mode': 'g+s' }
- name: create password file for json_rpc
vars:
is_json_rpc_with_http_basic:
if:
- json_rpc_with_http_basic
- true
- false
copy:
dest: /etc/ironic_conductor_passwd
content:
str_replace:
template: |
ironic:{{'$IRONIC_PASSWORD' | password_hash('bcrypt')}}
params:
$IRONIC_PASSWORD: {get_param: IronicPassword}
when: is_json_rpc_with_http_basic | bool
- name: stat /httpboot
stat: path=/httpboot
register: stat_httpboot
- name: stat /tftpboot
stat: path=/tftpboot
register: stat_tftpboot
- name: stat /var/lib/ironic/httpboot
stat: path=/var/lib/ironic/httpboot
register: stat_ironic_httpboot
- name: stat /var/lib/ironic/tftpboot
stat: path=/var/lib/ironic/tftpboot
register: stat_ironic_tftpboot
# cannot use 'copy' module as with 'remote_src' it doesn't support recursion
- name: migrate /httpboot to containerized (if applicable)
command: /bin/cp -R /httpboot /var/lib/ironic/httpboot
when: stat_httpboot.stat.exists and not stat_ironic_httpboot.stat.exists
- name: migrate /tftpboot to containerized (if applicable)
command: /bin/cp -R /tftpboot /var/lib/ironic/tftpboot
when: stat_tftpboot.stat.exists and not stat_ironic_tftpboot.stat.exists
# Even if there was nothing to copy from original locations,
# we need to create the dirs before starting the containers
- name: ensure ironic pxe directories exist
file:
path: /var/lib/ironic/{{ item }}
state: directory
with_items:
- httpboot
- tftpboot
- tftpboot/ppc64le
- images
upgrade_tasks: []
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop ironic conductor container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- ironic_conductor
tripleo_delegate_to: "{{ groups['ironic_conductor'] | default([]) }}"