METAL-1094: Sync with upstream metal3-io/ironic-image

.gitignore

@@ -1,2 +1 @@
-openstack-ironic
-openstack-ironic-inspector
+openstack-ironic

Dockerfile.ocp

@@ -42,15 +42,10 @@ COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-proxy.conf.j2 /etc/httpd-proxy.conf.j2
 COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
 
-RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
+RUN mkdir -p /var/lib/ironic && \
   sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
-  sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal" && \
   dnf remove -y sqlite
 
-# IRONIC-INSPECTOR #
-COPY ironic-inspector-config/ironic-inspector.conf.j2 /etc/ironic-inspector/
-COPY ironic-inspector-config/inspector-apache.conf.j2 /etc/httpd/conf.d/
-
 # configure non-root user and set relevant permissions
 RUN configure-nonroot.sh && \
   rm -f /bin/configure-nonroot.sh

Makefile

@@ -6,4 +6,5 @@ build-ocp:
 .PHONY: check-reqs
 
 check-reqs:
-	./tools/check-requirements.sh
+	./tools/check-requirements.sh
+

README.md

@@ -84,8 +84,6 @@ functionality:
   Defaults to use `IRONIC_EXTERNAL_IP` if available.
 - `IRONIC_EXTERNAL_HTTP_URL` - Override Ironic's external http URL. Defaults to
   use `IRONIC_EXTERNAL_IP` if available.
-- `IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE` - Override Inspector's callback
-  URL. Defaults to use `IRONIC_EXTERNAL_IP` if available.
 - `IRONIC_ENABLE_VLAN_INTERFACES` - Which VLAN interfaces to enable on the
   agent start-up. Can be a list of interfaces or a special value `all`.
   Defaults to `all`.
@@ -100,3 +98,4 @@ The following can serve as an example:
 - `OS_CONDUCTOR__CLEAN_CALLBACK_TIMEOUT=1800` - timeout (seconds) to wait for a
    callback from the ramdisk doing the cleaning
 - `OS_PXE__BOOT_RETRY_TIMEOUT=1200` - timeout (seconds) to enable boot retries.
+

configure-nonroot.sh

@@ -2,7 +2,7 @@
 
 # This script changes permissions to allow Ironic container to run as non-root
 # user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
-# ironic-inspector and ironic-log-watch via BMO's ironic k8s manifest, it has
+# and ironic-log-watch via BMO's ironic k8s manifest, it has
 # to be configured to work with multiple different users and groups, while they
 # share files via bind mounts (/shared, /certs/*), which can only get one
 # group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
@@ -14,29 +14,26 @@ set -eux
 # user and group are from ironic rpms (uid 997, gid 994)
 IRONIC_USER="ironic"
 IRONIC_GROUP="ironic"
-INSPECTOR_GROUP="ironic-inspector"
 
 # most containers mount /shared but dnsmasq can live without it
 mkdir -p /shared
-chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /shared
+chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared
 
-# we'll bind mount shared ca and ironic/inspector certificate dirs here
+# we'll bind mount shared ca and ironic certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
-chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /certs{,/ca}
+chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
 chmod 2775 /certs{,/ca}
 
-# ironic, inspector and httpd related changes
+# ironic and httpd related changes
 chown -R root:"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chown -R "${IRONIC_USER}":"${INSPECTOR_GROUP}" /etc/ironic-inspector
-chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
-chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
+chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
 
 chown -R root:"${IRONIC_GROUP}" /var/lib/ironic
-chown -R root:"${INSPECTOR_GROUP}" /var/lib/ironic-inspector
-chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
-chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
+chmod 2775 /var/lib/ironic
+chmod 664 /var/lib/ironic/ironic.db
 
 # dnsmasq, and the capabilities required to run it as non-root user
 chown -R root:"${IRONIC_GROUP}" /etc/dnsmasq.conf /var/lib/dnsmasq

ironic-config/apache2-proxy.conf.j2

@@ -28,38 +28,3 @@
     SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
     {% endif %}
 </VirtualHost>
-
-{% if env.IRONIC_INSPECTOR_PROXY_PORT %}
-Listen {{ env.IRONIC_INSPECTOR_PROXY_PORT }}
-
-<VirtualHost *:{{ env.IRONIC_INSPECTOR_PROXY_PORT }}>
-
-    ErrorLog /dev/stderr
-    LogLevel debug
-    CustomLog /dev/stdout combined
-
-    ProxyPass "/"  "{{ env.IRONIC_INSPECTOR_UPSTREAM_PROTO }}://{{ env.IRONIC_INSPECTOR_UPSTREAM_IP }}:{{ env.IRONIC_INSPECTOR_UPSTREAM_PORT }}/"
-    ProxyPassReverse "/"  "{{ env.IRONIC_INSPECTOR_UPSTREAM_PROTO }}://{{ env.IRONIC_INSPECTOR_UPSTREAM_IP }}:{{ env.IRONIC_INSPECTOR_UPSTREAM_PORT }}/"
-    {% if env.IRONIC_INSPECTOR_UPSTREAM_PROTO == "https" %}
-    SSLProxyEngine On
-
-    {% if env.IRONIC_INSPECTOR_INSECURE == "true" %}
-    SSLProxyVerify none
-    SSLProxyCheckPeerExpire off
-    {% else %}
-    SSLProxyCACertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
-    SSLProxyVerify require
-    SSLProxyCheckPeerExpire on
-    {% endif %}
-    SSLProxyCheckPeerName off
-
-    {% endif %}
-
-    {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-    SSLEngine on
-    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
-    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
-    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
-    {% endif %}
-</VirtualHost>
-{% endif %}

ironic-config/inspector.ipxe.j2

@@ -4,7 +4,7 @@
 echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
-# ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+# ironic-image and configuration in configure-ironic.sh
+kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTION_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
 initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
 boot

ironic-config/ironic.conf.j2

@@ -7,20 +7,21 @@ auth_strategy = noauth
 {% endif %}
 debug = true
 default_deploy_interface = direct
-default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
+default_inspect_interface = agent
 default_network_interface = noop
 enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
 enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
+enabled_firmware_interfaces = no-firmware,fake,redfish
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
-enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},irmc,fake,redfish,ilo
+enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
 enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_network_interfaces = noop
 enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
 enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
 enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
-enabled_firmware_interfaces = no-firmware,fake,redfish
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
 {% else %}
@@ -146,24 +147,12 @@ power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
 extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
-
-{% if env.USE_IRONIC_INSPECTOR == "true" %}
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
-{% endif %}
-{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
-callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
-{% endif %}
-{% else %}
 hooks = $default_hooks,parse-lldp
 add_ports = all
 keep_ports = present
-{% endif %}
 
 [auto_discovery]
-enabled = {{ env.IRONIC_INSPECTOR_ENABLE_DISCOVERY }}
+enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
 driver = ipmi
 
 [ipmi]

prepare-image.sh

@@ -24,7 +24,6 @@ if  [[ -f /tmp/main-packages-list.ocp ]]; then
     REQS="${REMOTE_SOURCES_DIR}/requirements.cachito"
     IRONIC_UID=1002
     IRONIC_GID=1003
-    INSPECTOR_GID=1004
 
     ls -la "${REMOTE_SOURCES_DIR}/" # DEBUG
 
@@ -67,12 +66,10 @@ if  [[ -f /tmp/main-packages-list.ocp ]]; then
     # compile post-install (see RHEL-29028)
     python3 -m compileall --invalidation-mode=timestamp /usr
 
-    # ironic and ironic-inspector system configuration
-    mkdir -p /var/log/ironic /var/log/ironic-inspector /var/lib/ironic /var/lib/ironic-inspector
+    # ironic system configuration
+    mkdir -p /var/log/ironic /var/lib/ironic
     getent group ironic >/dev/null || groupadd -r -g "${IRONIC_GID}" ironic
     getent passwd ironic >/dev/null || useradd -r -g ironic -s /sbin/nologin -u "${IRONIC_UID}" ironic -d /var/lib/ironic
-    getent group ironic-inspector >/dev/null || groupadd -r -g "${INSPECTOR_GID}" ironic-inspector
-    getent passwd ironic-inspector >/dev/null || useradd -r -g ironic-inspector -s /sbin/nologin ironic-inspector -d /var/lib/ironic-inspector
 
     dnf remove -y $BUILD_DEPS
     rm -fr $PIP_SOURCES_DIR
@@ -89,11 +86,10 @@ chown ironic:ironic /var/log/ironic
 rm -f /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.modules.d/*.conf
 
 # RDO-provided configuration forces creating log files
-rm -f /usr/share/ironic/ironic-dist.conf /etc/ironic-inspector/inspector-dist.conf
+rm -f /usr/share/ironic/ironic-dist.conf
 
-# add ironic and ironic-inspector to apache group
+# add ironic to apache group
 usermod -aG ironic apache
-usermod -aG ironic-inspector apache
 
 dnf clean all
 rm -rf /var/cache/{yum,dnf}/*

requirements.cachito

@@ -1,5 +1,4 @@
 ironic @ git+https://github.com/openshift/openstack-ironic@cf4f04edb435abef8780e9efff4ba1445d8e1e58
-ironic-inspector @ git+https://github.com/openshift/openstack-ironic-inspector@316a4a36f9b1a641003b0e3150b86fd50fe1b158
 ironic-lib @ git+https://github.com/openshift/openstack-ironic-lib@b5f03a528d4710194a84d6876a994ad1b0bcec03
 sushy @ git+https://github.com/openshift/openstack-sushy@a3db7ad7b907c8090503e01210963aa7e6fa7ab9