From f0076374cc3350e2d123231b17eed1b57c3ebb05 Mon Sep 17 00:00:00 2001 From: owenthomas17 Date: Tue, 23 Jul 2024 09:42:52 +0100 Subject: [PATCH 1/5] Update httpd.conf.j2 The current `Listen` directive does not work on systems that have ipv6 disabled. The Apache Listen directive supports `Listen ` syntax at which point it seems to be able to listen correctly on both dual stack and ipv4 only systems. See https://httpd.apache.org/docs/2.4/bind.html for more details. Signed-off-by: Owen Thomas --- ironic-config/httpd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ironic-config/httpd.conf.j2 b/ironic-config/httpd.conf.j2 index b82073947..a449923eb 100644 --- a/ironic-config/httpd.conf.j2 +++ b/ironic-config/httpd.conf.j2 @@ -1,6 +1,6 @@ ServerRoot "/etc/httpd" {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %} -Listen [::]:{{ env.HTTP_PORT }} +Listen {{ env.HTTP_PORT }} {% else %} Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }} {% endif %} From b71bfe0886f004c356f95c59f096e456f085d01e Mon Sep 17 00:00:00 2001 From: Mahnoor Asghar Date: Mon, 29 Jul 2024 10:57:16 -0400 Subject: [PATCH 2/5] Remove unused variable IRONIC_VMEDIA_SCHEME Signed-off-by: Mahnoor Asghar --- scripts/tls-common.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/tls-common.sh b/scripts/tls-common.sh index 60b20093f..d23ec1fe9 100644 --- a/scripts/tls-common.sh +++ b/scripts/tls-common.sh @@ -77,10 +77,8 @@ else fi if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then - export IRONIC_VMEDIA_SCHEME="https" export IRONIC_VMEDIA_TLS_SETUP="true" else - export IRONIC_VMEDIA_SCHEME="http" export IRONIC_VMEDIA_TLS_SETUP="false" fi From ac30746ae55545f9e9201f6da34ac7adb4e70d0d Mon Sep 17 00:00:00 2001 From: Riccardo Pittau Date: Wed, 3 Jul 2024 12:44:55 +0200 Subject: [PATCH 3/5] Remove dnf config-manager after its use We don't really need it in the final image Signed-off-by: Riccardo Pittau --- prepare-image.sh | 2 +- prepare-image.sh.BKP | 95 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100755 prepare-image.sh.BKP diff --git a/prepare-image.sh b/prepare-image.sh index d5880e598..1cd832134 100755 --- a/prepare-image.sh +++ b/prepare-image.sh @@ -44,7 +44,7 @@ if [[ -f /tmp/main-packages-list.ocp ]]; then # NOTE(janders): adding --no-compile option to avoid issues in FIPS # enabled environments. See https://issues.redhat.com/browse/RHEL-29028 # for more information - PIP_OPTIONS="--no-compile" + PIP_OPTIONS="--no-compile --no-cache-dir" if [[ ! -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then PIP_OPTIONS="$PIP_OPTIONS --no-index" fi diff --git a/prepare-image.sh.BKP b/prepare-image.sh.BKP new file mode 100755 index 000000000..1cd832134 --- /dev/null +++ b/prepare-image.sh.BKP @@ -0,0 +1,95 @@ +#!/usr/bin/bash + +set -euxo pipefail + +echo "install_weak_deps=False" >> /etc/dnf/dnf.conf +# Tell RPM to skip installing documentation +echo "tsflags=nodocs" >> /etc/dnf/dnf.conf + +dnf upgrade -y +xargs -rtd'\n' dnf install -y < /tmp/${PKGS_LIST} +if [ $(uname -m) = "x86_64" ]; then + dnf install -y syslinux-nonlinux; +fi + +if [[ -n "${EXTRA_PKGS_LIST:-}" ]]; then + if [[ -s "/tmp/${EXTRA_PKGS_LIST}" ]]; then + xargs -rtd'\n' dnf install -y < /tmp/"${EXTRA_PKGS_LIST}" + fi +fi + +### cachito magic works for OCP only +if [[ -f /tmp/main-packages-list.ocp ]]; then + + REQS="${REMOTE_SOURCES_DIR}/requirements.cachito" + IRONIC_UID=1002 + IRONIC_GID=1003 + + ls -la "${REMOTE_SOURCES_DIR}/" # DEBUG + + # load cachito variables only if they're available + if [[ -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then + source "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps/cachito.env" + REQS="${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps/app/requirements.cachito" + fi + + ### source install ### + BUILD_DEPS="python3-devel gcc gcc-c++" + + dnf install -y python3-pip python3-setuptools $BUILD_DEPS + + # NOTE(elfosardo): --no-index is used to install the packages emulating + # an isolated environment in CI. Do not use the option for downstream + # builds. + # NOTE(janders): adding --no-compile option to avoid issues in FIPS + # enabled environments. See https://issues.redhat.com/browse/RHEL-29028 + # for more information + PIP_OPTIONS="--no-compile --no-cache-dir" + if [[ ! -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then + PIP_OPTIONS="$PIP_OPTIONS --no-index" + fi + + # NOTE(elfosardo): download all the libraries and dependencies first, removing + # --no-index but using --no-deps to avoid chain-downloading packages. + # This forces to download only the packages specified in the requirements file, + # but we leave the --no-index in the installation phase to again avoid + # downloading unexpected packages and install only the downloaded ones. + # This is done to allow testing any source code package in CI emulating + # the cachito downstream build pipeline. + # See https://issues.redhat.com/browse/METAL-1049 for more details. + PIP_SOURCES_DIR="all_sources" + mkdir $PIP_SOURCES_DIR + python3 -m pip download --no-deps -r "${REQS}" -d $PIP_SOURCES_DIR + python3 -m pip install $PIP_OPTIONS --prefix /usr -r "${REQS}" -f $PIP_SOURCES_DIR + + # NOTE(janders) since we set --no-compile at install time, we need to + # compile post-install (see RHEL-29028) + python3 -m compileall --invalidation-mode=timestamp -q /usr + + # ironic system configuration + mkdir -p /var/log/ironic /var/lib/ironic + getent group ironic >/dev/null || groupadd -r -g "${IRONIC_GID}" ironic + getent passwd ironic >/dev/null || useradd -r -g ironic -s /sbin/nologin -u "${IRONIC_UID}" ironic -d /var/lib/ironic + + dnf remove -y $BUILD_DEPS + rm -fr $PIP_SOURCES_DIR + + if [[ -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then + rm -rf $REMOTE_SOURCES_DIR + fi + +fi +### + +chown ironic:ironic /var/log/ironic +# This file is generated after installing mod_ssl and it affects our configuration +rm -f /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.modules.d/*.conf + +# RDO-provided configuration forces creating log files +rm -f /usr/share/ironic/ironic-dist.conf + +# add ironic to apache group +usermod -aG ironic apache + +dnf clean all +rm -rf /var/cache/{yum,dnf}/* From 76b06d4c623c283439c17c7392079a5bf166a64e Mon Sep 17 00:00:00 2001 From: Riccardo Pittau Date: Thu, 25 Jul 2024 17:37:15 +0200 Subject: [PATCH 4/5] Update ipxe version This is a tentative to make ipxe more close to the current version and include some improvements and bug fixes. As a first step we build and install ipxe using a commit hash, as no stable versions have been released since December 2020. We point the ipxe commit hash to [1] from November 2021, so roughly a year of changes is included. To see the complete list of changes run: `git log --pretty=oneline 988d2c1..9062544` from a local clone of the ipxe repository. In general the changes included between the stable 1.21.1 version and the current chosen hash improve compatibility with recent gcc and build libraries, while fixing numerous bugs. This change also introduce a build arg to allow choosing the ipxe commit hash at container build time. [1] https://github.com/ipxe/ipxe/commit/9062544f6a0c69c249b90d21a08d05518aafc2ec Signed-off-by: Riccardo Pittau --- prepare-image.sh.BKP | 95 -------------------------------------------- 1 file changed, 95 deletions(-) delete mode 100755 prepare-image.sh.BKP diff --git a/prepare-image.sh.BKP b/prepare-image.sh.BKP deleted file mode 100755 index 1cd832134..000000000 --- a/prepare-image.sh.BKP +++ /dev/null @@ -1,95 +0,0 @@ -#!/usr/bin/bash - -set -euxo pipefail - -echo "install_weak_deps=False" >> /etc/dnf/dnf.conf -# Tell RPM to skip installing documentation -echo "tsflags=nodocs" >> /etc/dnf/dnf.conf - -dnf upgrade -y -xargs -rtd'\n' dnf install -y < /tmp/${PKGS_LIST} -if [ $(uname -m) = "x86_64" ]; then - dnf install -y syslinux-nonlinux; -fi - -if [[ -n "${EXTRA_PKGS_LIST:-}" ]]; then - if [[ -s "/tmp/${EXTRA_PKGS_LIST}" ]]; then - xargs -rtd'\n' dnf install -y < /tmp/"${EXTRA_PKGS_LIST}" - fi -fi - -### cachito magic works for OCP only -if [[ -f /tmp/main-packages-list.ocp ]]; then - - REQS="${REMOTE_SOURCES_DIR}/requirements.cachito" - IRONIC_UID=1002 - IRONIC_GID=1003 - - ls -la "${REMOTE_SOURCES_DIR}/" # DEBUG - - # load cachito variables only if they're available - if [[ -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then - source "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps/cachito.env" - REQS="${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps/app/requirements.cachito" - fi - - ### source install ### - BUILD_DEPS="python3-devel gcc gcc-c++" - - dnf install -y python3-pip python3-setuptools $BUILD_DEPS - - # NOTE(elfosardo): --no-index is used to install the packages emulating - # an isolated environment in CI. Do not use the option for downstream - # builds. - # NOTE(janders): adding --no-compile option to avoid issues in FIPS - # enabled environments. See https://issues.redhat.com/browse/RHEL-29028 - # for more information - PIP_OPTIONS="--no-compile --no-cache-dir" - if [[ ! -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then - PIP_OPTIONS="$PIP_OPTIONS --no-index" - fi - - # NOTE(elfosardo): download all the libraries and dependencies first, removing - # --no-index but using --no-deps to avoid chain-downloading packages. - # This forces to download only the packages specified in the requirements file, - # but we leave the --no-index in the installation phase to again avoid - # downloading unexpected packages and install only the downloaded ones. - # This is done to allow testing any source code package in CI emulating - # the cachito downstream build pipeline. - # See https://issues.redhat.com/browse/METAL-1049 for more details. - PIP_SOURCES_DIR="all_sources" - mkdir $PIP_SOURCES_DIR - python3 -m pip download --no-deps -r "${REQS}" -d $PIP_SOURCES_DIR - python3 -m pip install $PIP_OPTIONS --prefix /usr -r "${REQS}" -f $PIP_SOURCES_DIR - - # NOTE(janders) since we set --no-compile at install time, we need to - # compile post-install (see RHEL-29028) - python3 -m compileall --invalidation-mode=timestamp -q /usr - - # ironic system configuration - mkdir -p /var/log/ironic /var/lib/ironic - getent group ironic >/dev/null || groupadd -r -g "${IRONIC_GID}" ironic - getent passwd ironic >/dev/null || useradd -r -g ironic -s /sbin/nologin -u "${IRONIC_UID}" ironic -d /var/lib/ironic - - dnf remove -y $BUILD_DEPS - rm -fr $PIP_SOURCES_DIR - - if [[ -d "${REMOTE_SOURCES_DIR}/cachito-gomod-with-deps" ]]; then - rm -rf $REMOTE_SOURCES_DIR - fi - -fi -### - -chown ironic:ironic /var/log/ironic -# This file is generated after installing mod_ssl and it affects our configuration -rm -f /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.modules.d/*.conf - -# RDO-provided configuration forces creating log files -rm -f /usr/share/ironic/ironic-dist.conf - -# add ironic to apache group -usermod -aG ironic apache - -dnf clean all -rm -rf /var/cache/{yum,dnf}/* From 33ee8da1e288e8afb878a973912446ca20af565d Mon Sep 17 00:00:00 2001 From: Riccardo Pittau Date: Tue, 6 Aug 2024 11:04:16 +0200 Subject: [PATCH 5/5] Enable FIPS mode for IPA if system is in FIPS mode If FIPS is enabled in the hosts we should also run IPA in FIPS mode. It is possible to enable FIPS directly at kernel level using the fips option, determining the FIPS status for example from the cryptographic module and specifically the /proc/sys/crypto/fips_enabled file; if the file contains 1 then the system is in FIPS mode, if it contains 0 the FIPS algorithms are disabled. Therefore the value of the fips kernel option is 0 (default) if FIPS is disabled, or 1 if enabled. Note: Upstream commit changed to only set fips= when the value is 1 https://issues.redhat.com//browse/OCPBUGS-39536 Signed-off-by: Riccardo Pittau --- ironic-config/ironic.conf.j2 | 10 ++++++---- scripts/configure-ironic.sh | 5 +++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2 index f2cf873c6..2df43905d 100644 --- a/ironic-config/ironic.conf.j2 +++ b/ironic-config/ironic.conf.j2 @@ -213,7 +213,9 @@ images_path = /shared/html/tmp instance_master_path = /shared/html/master_images tftp_master_path = /shared/tftpboot/master_images tftp_root = /shared/tftpboot -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +# https://issues.redhat.com//browse/OCPBUGS-39536 +# fips= is only applied it the value is 1 (see below also) +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes # This makes networking boot templates generated even for nodes using local # boot (the default), ensuring that they boot correctly even if they start # netbooting for some reason (e.g. with the noop management interface). @@ -226,14 +228,14 @@ ipxe_config_template = /tmp/ipxe_config.template [redfish] use_swift = false -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes [ilo] -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes use_web_server_for_images = true [irmc] -kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes +kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {%if env.ENABLE_FIPS_IPA == "1"%}fips=1 {% endif %}{% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes [service_catalog] endpoint_override = {{ env.IRONIC_BASE_URL }} diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh index 3a5fc49ef..588ebe026 100755 --- a/scripts/configure-ironic.sh +++ b/scripts/configure-ironic.sh @@ -88,6 +88,11 @@ configure_json_rpc_auth . /bin/coreos-ipa-common.sh +if [[ -f /proc/sys/crypto/fips_enabled ]]; then + ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled) + export ENABLE_FIPS_IPA +fi + # The original ironic.conf is empty, and can be found in ironic.conf_orig render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf