Remove unused files as a single process/service is used

Revision 7 from isv:SUSE:Edge:Metal3:Ironic:2024.2 introduced
significant changes on how Ironic is run, by having only a single Apache
instance running the API, and conductor and inspector no longer use IP
sockets. However while porting this change to Factory some files have
not been removed here, so remove no longer used files to keep this
repository up to date.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>

_config

@@ -60,6 +60,7 @@ BuildFlags: onlybuild:release-manifest-image
     BuildFlags: excludebuild:endpoint-copier-operator-image
     BuildFlags: excludebuild:ironic-image
     BuildFlags: excludebuild:ironic-ipa-downloader-image
+    BuildFlags: excludebuild:kiwi-builder-image
     BuildFlags: excludebuild:kubectl-image
     BuildFlags: excludebuild:kube-rbac-proxy-image
     BuildFlags: excludebuild:metallb-controller-image
@@ -149,6 +150,10 @@ BuildFlags: onlybuild:release-manifest-image
 %else
     %if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
       BuildFlags: excludebuild:kiwi-builder-image
+    %else
+      %ifarch aarch64
+        BuildFlags: onlybuild:kiwi-builder-image
+      %endif
     %endif
 %endif
 

ironic-image/inspector-apache.conf.j2

@@ -1,57 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-
-{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
- <VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
-{% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
- <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
-{% endif %}
-    {% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
-    ProxyPass "/"  "unix:/shared/inspector.sock|http://127.0.0.1/"
-    ProxyPassReverse "/"  "unix:/shared/inspector.sock|http://127.0.0.1/"
-    {% else %}
-    ProxyPass "/"  "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
-    ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
-    {% endif %}
-
-    SetEnv APACHE_RUN_USER ironic-suse
-    SetEnv APACHE_RUN_GROUP ironic-suse
-
-    ErrorLog /dev/stdout
-    LogLevel debug
-    CustomLog /dev/stdout combined
-
-    SSLEngine On
-    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
-    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }} 
-    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
-
-    {% if "INSPECTOR_HTPASSWD" in env and env.INSPECTOR_HTPASSWD | length %}
-    <Location / >
-        AuthType Basic
-        AuthName "Restricted area"
-        AuthUserFile "/etc/ironic-inspector/htpasswd"
-        Require valid-user
-    </Location>
-
-    <Location ~ "^/(v1/?)?$" >
-        Require all granted
-    </Location>
-
-    <Location /v1/continue >
-        Require all granted
-    </Location>
-    {% endif %}
-</VirtualHost>

ironic-image/ironic-inspector.conf.j2

@@ -1,68 +0,0 @@
-[DEFAULT]
-auth_strategy = noauth
-debug = true
-transport_url = fake://
-use_stderr = true
-{% if env.INSPECTOR_REVERSE_PROXY_SETUP == "true" %}
-{% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
-listen_unix_socket = /shared/inspector.sock
-# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
-# another container, we need to make it world-writeable.
-listen_unix_socket_mode = 0666
-{% else %}
-listen_port = {{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}
-listen_address = 127.0.0.1
-{% endif %}
-{% elif env.LISTEN_ALL_INTERFACES | lower == "true" %}
-listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
-listen_address = ::
-{% else %}
-listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
-listen_address = {{ env.IRONIC_IP }}
-{% endif %}
-host = {{ env.IRONIC_IP }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
-use_ssl = true
-{% endif %}
-
-[database]
-connection = sqlite:////var/lib/ironic-inspector/ironic-inspector.db
-
-{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
-[discovery]
-enroll_node_driver = ipmi
-{% endif %}
-
-[ironic]
-auth_type = none
-endpoint_override = {{ env.IRONIC_BASE_URL }}
-{% if env.IRONIC_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSECURE }}
-{% endif %}
-
-[processing]
-add_ports = all
-always_store_ramdisk_logs = true
-keep_ports = present
-{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
-node_not_found_hook = enroll
-{% endif %}
-permit_active_introspection = true
-power_off = false
-processing_hooks = $default_processing_hooks,lldp_basic
-ramdisk_logs_dir = /shared/log/ironic-inspector/ramdisk
-store_data = database
-
-[pxe_filter]
-driver = noop
-
-[service_catalog]
-auth_type = none
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
-
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
-[ssl]
-cert_file = {{ env.IRONIC_INSPECTOR_CERT_FILE }}
-key_file = {{ env.IRONIC_INSPECTOR_KEY_FILE }}
-{% endif %}

ironic-image/runironic-api

@@ -1,13 +0,0 @@
-#!/usr/bin/bash
-
-export IRONIC_DEPLOYMENT="API"
-
-# shellcheck disable=SC1091
-. /bin/configure-ironic.sh
-
-export IRONIC_REVERSE_PROXY_SETUP=false
-
-python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /tmp/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
-
-# shellcheck disable=SC1091
-. /bin/runhttpd

ironic-image/runironic-conductor

@@ -1,20 +0,0 @@
-#!/usr/bin/bash
-
-export IRONIC_DEPLOYMENT="Conductor"
-
-# shellcheck disable=SC1091
-. /bin/configure-ironic.sh
-
-# Ramdisk logs
-mkdir -p /shared/log/ironic/deploy
-
-run_ironic_dbsync
-
-if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    # shellcheck disable=SC2034
-    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
-        kill $(pgrep ironic)
-    done &
-fi
-
-exec /usr/bin/ironic-conductor

ironic-image/runironic-inspector

@@ -1,62 +0,0 @@
-#!/usr/bin/bash
-
-set -euxo pipefail
-
-CONFIG=/etc/ironic-inspector/ironic-inspector.conf
-
-export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
-export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
-
-# shellcheck disable=SC1091
-. /bin/tls-common.sh
-# shellcheck disable=SC1091
-. /bin/ironic-common.sh
-# shellcheck disable=SC1091
-. /bin/auth-common.sh
-
-if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
-    echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
-    exit 1
-fi
-
-wait_for_interface_or_ip
-
-IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
-if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
-    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]] && [[ "${IRONIC_INSPECTOR_PRIVATE_PORT}" != "unix" ]]; then
-        IRONIC_INSPECTOR_PORT=$IRONIC_INSPECTOR_PRIVATE_PORT
-    fi
-else
-    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
-fi
-
-export IRONIC_INSPECTOR_BASE_URL="${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_PORT}"
-export IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"
-
-build_j2_config()
-{
-    local CONFIG_FILE="$1"
-    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
-}
-
-# Merge with the original configuration file from the package.
-build_j2_config "$CONFIG" | crudini --merge "$CONFIG"
-
-configure_inspector_auth
-
-configure_client_basic_auth ironic "${CONFIG}"
-
-ironic-inspector-dbsync --config-file "${CONFIG}" upgrade
-
-if [[ "$INSPECTOR_REVERSE_PROXY_SETUP" == "false" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    # shellcheck disable=SC2034
-    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
-        kill $(pgrep ironic)
-    done &
-fi
-
-# Make sure ironic traffic bypasses any proxies
-export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
-
-# shellcheck disable=SC2086
-exec /usr/bin/ironic-inspector

metal3-chart/Chart.yaml

@@ -1,7 +1,7 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.7_up0.11.5
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.7_up0.11.5-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6-%RELEASE%
 apiVersion: v2
-appVersion: 0.11.5
+appVersion: 0.11.6
 dependencies:
 - alias: metal3-baremetal-operator
   name: baremetal-operator
@@ -15,7 +15,7 @@ dependencies:
   condition: global.enable_mariadb
   name: mariadb
   repository: file://./charts/mariadb
-  version: 0.5.4
+  version: 0.6.0
 - alias: metal3-media
   condition: global.enable_metal3_media_server
   name: media
@@ -25,4 +25,4 @@ description: A Helm chart that installs all of the dependencies needed for Metal
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.7+up0.11.5"
+version: "%%CHART_MAJOR%%.0.8+up0.11.6"

metal3-chart/charts/mariadb/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 10.6.7
+appVersion: "10.11"
 description: A Helm chart for MariaDB, used by Metal3
 name: mariadb
 type: application
-version: 0.5.4
+version: 0.6.0

metal3-chart/charts/mariadb/templates/configmap-mariadb.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap 
+metadata:
+  name: mariadb-config
+  labels:
+    {{- include "mariadb.labels" . | nindent 4 }}
+data:
+  ironic.conf: |
+    [mariadb]
+    max_connections 64
+    max_heap_table_size 1M
+    innodb_buffer_pool_size 5M
+    innodb_log_buffer_size 512K

metal3-chart/charts/mariadb/templates/configmap.yaml

@@ -5,4 +5,7 @@ metadata:
   labels:
     {{- include "mariadb.labels" . | nindent 4 }}
 data:
-  RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
+  MARIADB_USER: ironic
+  MARIADB_RANDOM_ROOT_PASSWORD: "yes"
+  MARIADB_DATABASE: ironic
+  MARIADB_AUTO_UPGRADE: "yes"

metal3-chart/charts/mariadb/templates/deployment.yaml

@@ -25,23 +25,50 @@ spec:
       serviceAccountName: {{ include "mariadb.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+      # This would run during entrypoint if run as root
+      - name: set-volume-owners
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+            runAsUser: 0
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+              - ALL
+              add:
+              - CHOWN
+              - FOWNER
+              - DAC_OVERRIDE
+            seccompProfile:
+              type: RuntimeDefault
+        volumeMounts:
+          - name: mariadb-conf
+            mountPath: /etc/mysql/conf.d
+          - name: mariadb-run
+            mountPath: /run/mysql
+          {{- $volmounts }}
+        command: ['bash', '-c', 'source /usr/local/bin/docker-entrypoint.sh && docker_create_db_directories']
+        env:
+          - name: DATADIR
+            value: /var/lib/mysql
+          - name: SOCKET
+            value: /run/mysql/mysql.sock
       containers:
       - name: mariadb
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
+        envFrom:
+          - configMapRef:
+              name: mariadb-cm
         env:
           - name: MARIADB_PASSWORD
             valueFrom:
               secretKeyRef:
                 key: password
                 name: ironic-mariadb
-          - name: RESTART_CONTAINER_CERTIFICATE_UPDATED
-            valueFrom:
-              configMapKeyRef:
-                name: mariadb-cm
-                key: RESTART_CONTAINER_CERTIFICATE_UPDATED
         lifecycle:
           preStop:
             exec:
@@ -52,9 +79,9 @@ spec:
         livenessProbe:
           exec:
             command:
-              - sh
-              - -c
-              - mysqladmin status -uironic -p$(printenv MARIADB_PASSWORD)
+              - healthcheck.sh
+              - --connect
+              - --innodb_initialized
           failureThreshold: 10
           initialDelaySeconds: 30
           periodSeconds: 30
@@ -67,19 +94,29 @@ spec:
         readinessProbe:
           exec:
             command:
-              - sh
-              - -c
-              - mysqladmin status -uironic -p$(printenv MARIADB_PASSWORD)
+              - healthcheck.sh
+              - --connect
+              - --innodb_initialized
           failureThreshold: 10
           initialDelaySeconds: 30
           periodSeconds: 30
           successThreshold: 1
           timeoutSeconds: 10
         volumeMounts:
+            - name: mariadb-conf
+              mountPath: /etc/mysql/conf.d
+            - name: mariadb-run
+              mountPath: /run/mysql
             {{- $volmounts }}
       {{- with .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+        - name: mariadb-conf
+          configMap:
+            name: mariadb-config
+        - name: mariadb-run
+          emptyDir:
+            sizeLimit: 20Mi
         {{- $volumes }}

metal3-chart/charts/mariadb/values.yaml

@@ -12,9 +12,9 @@ service:
     targetPort: 3306
 
 image:
-  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/suse/mariadb
+  repository: registry.suse.com/suse/mariadb
   pullPolicy: IfNotPresent
-  tag: 10.6.15.1
+  tag: 10.11
 
 nameOverride: ""
 fullnameOverride: ""
@@ -31,8 +31,8 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext:
-  runAsUser: 10060
-  fsGroup: 10060
+  runAsUser: 60
+  fsGroup: 60
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -60,6 +60,7 @@ persistence:
 volumeMounts:
   - name: mariadb-data-volume
     mountPath: /var/lib/mysql
+    subPath: data
 
 volumes:
   - name: mariadb-data-volume

metal3-chart/values.yaml

@@ -115,8 +115,8 @@ metal3-mariadb:
   persistence:
     storageClass: ""
   image:
-    repository: "registry.suse.com/edge/mariadb"
-    tag: "10.6.15.1"
+    repository: "registry.suse.com/suse/mariadb"
+    tag: "10.11"
 
 #
 # Baremetal Operator

release-manifest-image/release_manifest.yaml

@@ -171,7 +171,7 @@ spec:
         - prettyName: Metal3
           releaseName: metal3
           chart: "%%CHART_REPO%%/%%CHART_PREFIX%%metal3"
-          version: "%%CHART_MAJOR%%.0.7+up0.11.5"
+          version: "%%CHART_MAJOR%%.0.8+up0.11.6"
         - prettyName: RancherTurtles
           releaseName: rancher-turtles
           chart: "%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles"