Make sure that only IRONIC_IPV6 is set with a valid value when
PROVISIONING_IP is an IPv6 address by also clearing IRONIC_IP
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Unfortuantely, likely due to some conflicts in the Apache, access cannot
be granted to /images/ only, so allow anyone for now.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The checks on the upstream project have reported some warnings to the
code accepted in PR #213, fix them in this commit.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Enable the use of two separate sockets for IPv4 and IPv6 when
LISTEN_ALL_INTERFACES is set to true. While desirable, on Linux Apache uses
IPv4-mapped IPv6 addresses by default, thus leveraging a single IPv6 socket
for IPv4 connections as well.
This behaviour is far from being desirable and can be disabled at compile
time via the "--disable-v4-mapped" flag, so make sure both an ANY address
Listen directive is present for both IPv4 and IPv6. When Apache is compiled
with "--enable-v4-mapped", the IPv4 socket will be simply ignored.
Please see https://httpd.apache.org/docs/2.4/bind.html for more
information.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Enable the use of individual IPv4 and IPv6 sockets when the respective
IP is detected and LISTEN_ALL_INTERFACES is not set to true. This allows
to correctly bind to both the IPv4 and IPv6 addresses found and not just
one of them.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
When LISTEN_ALL_INTERFACES is not set, Apache should make Ironic API
avaiable on either or both IPv4 and IPv6 sockets, depending on the
addresses requested or found on the system.
Make sure to set the "Listen" directive according to ENABLE_IPV4 and
ENABLE_IPV4, and the VirtualHost when IRONIC_URL_HOSTNAME is present.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Prioritize IPv6 over IPv4 when available to set host_ip in ironic.conf
when LISTEN_ALL_INTERFACES is not set to true.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
As per the Ironic documentation:
"This field [my_ip] does accept an IPv6 address as an override for templates
and URLs, however it is recommended that [DEFAULT]my_ipv6 is used along with
DNS names for service URLs for dual-stack environments."
Fill my_ipv6 when an IPv6 address has been found for binding.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
In a dual-stack scenario, especially when deploying in direct mode via
virtual media, it might be useful to 1) use a hostname to enable "dual IP"
URLs 2) have ironic bind to those two addresses, if found on the system.
To make this possible, this commit introduces:
- a new user environment variable named IRONIC_URL_HOSTNAME, to be used
as immutable external only input, to derive IRONIC_URL_HOST and the
IP addresses to bind on
- a new utility function named "get_ip_of_hostname" to help look up the
A and AAAA records
- additional logic to look for the returned address on the system, for
binding the processes; this new logic has lower priority than
PROVISIONING_IP (which can then be used to enforce one specific IP
version) and PROVISIONING_INTERFACE
Note, while IRONIC_URL_HOSTNAME and PROVISIONING_IP are considered to be
mutually exclusive, IRONIC_URL_HOSTNAME and PROVISIONING_INTERFACE are
not.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The ironic scripts either use PROVISIONING_IP as an input or try to
determine an IP address to bind the sockets to. This results in
IRONIC_IP being defined once the process is complete, and it can carry
either an IPv4 or an IPv6 address.
Likely, the assumption is that on Linux, by default, IPv4-mapped IPv6
addresses can be leveraged to serve both IPv4 and IPv6 through a single
socket. However this is not a good practice and two separate sockets
should be used instead, whenever possible.
This change modifies such logic by
- introducing the variable IRONIC_IPV6 alongside the existing
- matching IRONIC_IP and attempting to populate both variables
Please note that hostname based URLs, with both A and AAAA records, are
also required for a fully working dual-stack configuration.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Commit 2742439 added logic to tentatively identify the interface name
in get_provisioning_interface if the PROVISIONING_IP is provided.
However the same process in then repeated in wait_for_interface_or_ip.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use the previously introduced get_interface_of_ip, to determine if the
PROVISIONING_IP address is actually present on a network interface.
This improves the code readability and enables additional debugging
output.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The way the ironic-image processes are bound to internet sockets is mainly
by PROVISIONING_IP or PROVISIONING_INTERFACE, that is, by looking up a
specific address on an interface, or a specific interface for a workable
address.
Introduce two new utility functions in ironic-common.sh for these two
purposes:
get_interface_of_ip: returns the name of the interface where the IP address
provided as argument is found
get_ip_of_interface: returns the first IP associated to the interface
provided as argument
These two functions will be put into use in subsequent commits.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Whenever PROVISIONING_INTERFACE is not set by the user, function
get_provisioning_interface attempts to determine one, or provide
"provisionign" as default value. However this can cause confusing errors
down the line.
Remove this default value and fail gracefully, with proper logging,
if the PROVISIONING_INTERFACE value is not detected.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The value of host_ip is determined twice within the ironic.conf.j2 template
file, by means of a relatively hard to read set of conditions.
Avoid this duplication and improve readability by exporting the correct
value once in scripts/configure-ironic.sh. This also leave more room for
more complex evaluations should these be needed in the future.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
v29.0.0 add a couple of new scripts, such as ironic-probe.sh; make sure
they have the 'executable' flag.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The Prometheus exporter is effectively, not only unused, but
unusable, due to missing dependencies. Since currently we
don't have use case for it, opt for dropping the exporter
entirely from the image.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Previously .j2 files used to be copied to /etc before being
instantiated. In order to make the image potentially read only,
move the templates to /tmp.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Bypass the OpenStack network-data format validation, to allow for the
nmstate based one we instead use (which would otherwise fail).
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Allow the use of https, force it to 1 via the IPA_INSECURE environment
variable only TLS is disabled.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Correct the path of the Apache modules for a SUSE image.
Also keep a couple of modules disabled.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Having a completely different image and build system the Dockerfile will
always differ quite significantly from the upstream one. Nonetheless,
it's still useful to make the commont parts to look alike as much as
possible to ease maintanance and update.
Note, this is just a small set of changes that are possible, more effort
into this direction may follow at later stage.
It is now possible to bring back the original directory structure for
config (/ironic-config) files and scripts (/scripts). This will make
updates to re-align with upstream easier.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The Prometheus exporter is effectively, not only unused, but
unusable, due to missing dependencies. Since currently we
don't have use case for it, opt for dropping the exporter
entirely from the image.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
One Docker specific OBS directive, ArchExclusiveLine, is incorrectly
testing for x86 instead of aarch64, likely due to a copy-and-paste
error. Change the architecture for that RUN command.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
