diff --git a/ironic-config/httpd-ironic-api.conf.j2 b/ironic-config/httpd-ironic-api.conf.j2 index 6338deca1..bda581669 100644 --- a/ironic-config/httpd-ironic-api.conf.j2 +++ b/ironic-config/httpd-ironic-api.conf.j2 @@ -79,7 +79,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} Require all granted - + Require all granted diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2 index dd99ae14d..2ecdd654e 100644 --- a/ironic-config/ironic.conf.j2 +++ b/ironic-config/ironic.conf.j2 @@ -2,7 +2,7 @@ auth_strategy = noauth debug = true default_deploy_interface = direct -default_inspect_interface = inspector +default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %} default_network_interface = noop enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media @@ -10,7 +10,7 @@ enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent # NOTE(dtantsur): when changing this, make sure to update the driver # dependencies in Dockerfile. enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,ibmc,manual-management,ilo,ilo5 -enabled_inspect_interfaces = inspector,idrac-wsman,irmc,fake,redfish,ilo +enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ibmc,ilo,ilo5,noop enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ibmc,ilo enabled_raid_interfaces = no-raid,irmc,agent,fake,ibmc,idrac-wsman,redfish,idrac-redfish,ilo5 @@ -133,19 +133,26 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }} dhcp_provider = none [inspector] -endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }} power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }} -{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %} -cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }} -insecure = {{ env.IRONIC_INSPECTOR_INSECURE }} -{% endif %} # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe # Also keep in mind that only parameters unique for inspection go here. # No need to duplicate pxe_append_params/kernel_append_params. extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 + +{% if env.USE_IRONIC_INSPECTOR == "true" %} +endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }} +{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %} +cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }} +insecure = {{ env.IRONIC_INSPECTOR_INSECURE }} +{% endif %} {% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %} callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }} {% endif %} +{% else %} +hooks = $default_hooks,parse-lldp +add_ports = all +keep_ports = present +{% endif %} [ipmi] # use_ipmitool_retries transfers the responsibility of retrying to ipmitool @@ -212,7 +219,7 @@ kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC # boot (the default), ensuring that they boot correctly even if they start # netbooting for some reason (e.g. with the noop management interface). enable_netboot_fallback = true -# Enable the fallback path to ironic-inspector +# Enable the fallback path to in-band inspection ipxe_fallback_script = inspector.ipxe [redfish] diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh index 6a50af0fa..6e36113a0 100755 --- a/scripts/configure-ironic.sh +++ b/scripts/configure-ironic.sh @@ -93,7 +93,9 @@ configure_json_rpc_auth # The original ironic.conf is empty, and can be found in ironic.conf_orig render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf -configure_client_basic_auth ironic-inspector +if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then + configure_client_basic_auth ironic-inspector +fi configure_client_basic_auth ironic-rpc # Make sure ironic traffic bypasses any proxies diff --git a/scripts/ironic-common.sh b/scripts/ironic-common.sh index 7fbdb38a2..f63f6a36a 100644 --- a/scripts/ironic-common.sh +++ b/scripts/ironic-common.sh @@ -100,3 +100,11 @@ export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT} export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050} export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT} + +# If this is false, built-in inspection is used. +export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true} +export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false} +if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then + echo "Discovery is only supported with ironic-inspector at this point" + exit 1 +fi diff --git a/scripts/runhttpd b/scripts/runhttpd index d05ae070d..ab8c4fcf1 100755 --- a/scripts/runhttpd +++ b/scripts/runhttpd @@ -33,7 +33,12 @@ chmod 0777 /shared/html IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}" -INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue" +if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then + INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue" +else + INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection" +fi + if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}" fi @@ -47,7 +52,7 @@ mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example # Render the core httpd config render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf -if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then +if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG" fi diff --git a/scripts/runironic-inspector b/scripts/runironic-inspector index 36902764e..9ff7da935 100755 --- a/scripts/runironic-inspector +++ b/scripts/runironic-inspector @@ -14,6 +14,11 @@ export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false} # shellcheck disable=SC1091 . /bin/auth-common.sh +if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then + echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR" + exit 1 +fi + wait_for_interface_or_ip IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}