The BMO should now connect via the provisioningHostname if set or an IP
address. Add a helper that returns the ironic hostname or correctly
formatted IP to define the ironicApiHost variable in the BMO configmap.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Recently provisioningHostname has been introduced as an alternative way
to configure the IPs to bind and respond to. This however requires that
the Certificates for HTTPS also include a dnsNames section whenver such
value is present.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
So far ironicIP has been part of values.yaml under the global section,
however this is very misleading: this variable is internal to the Ironic
startup scripts and should not be set, moreover it conflicts with
provisioningIP, which is instead a public configuration variable for the
purpose.
This commits thus introduces the following changes:
- removes the creation of IRONIC_IP in the Ironic configmap
- does not yet remove ironicIP from values.yaml to avoid breaking
forward compatibility
- introduces a utility function to perform input validation while still
prioritizing ironicIP if present
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
It should be possible to enable or disable the environment variable
LISTEN_ALL_INTERFACE in the Ironic configmap, as it allows to the way
Ironic binds to socket, especially in combination with the changes
introduced in v29.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Create a new provisioningHostname value in values.yaml in order to set
the new IRONIC_URL_HOSTNAME, that allows to set the address(es) Ironic
will bind to.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Since currently we can only define the provisioning network and the
external HTTP host, remove some clutter generating unused variables.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The purpose of this commit is to:
- avoid providing IRONIC_EXTERNAL_HTTP_URL by default, as the Ironic
startup scripts will be able to derive the value from other variables
- define a new global value under the top values.yaml to define
IRONIC_EXTERNAL_HTTP_URL when actually needed
- make sure that the input, which can either be a hostname or an IP
address, is correctly formatted in case of an IPv6.
This change also allows subsequent cleanups of the whole Configmap
template for Ironic.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Enable the use of two separate sockets for IPv4 and IPv6 when
LISTEN_ALL_INTERFACES is set to true. While desirable, on Linux Apache uses
IPv4-mapped IPv6 addresses by default, thus leveraging a single IPv6 socket
for IPv4 connections as well.
This behaviour is far from being desirable and can be disabled at compile
time via the "--disable-v4-mapped" flag, so make sure both an ANY address
Listen directive is present for both IPv4 and IPv6. When Apache is compiled
with "--enable-v4-mapped", the IPv4 socket will be simply ignored.
Please see https://httpd.apache.org/docs/2.4/bind.html for more
information.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Enable the use of individual IPv4 and IPv6 sockets when the respective
IP is detected and LISTEN_ALL_INTERFACES is not set to true. This allows
to correctly bind to both the IPv4 and IPv6 addresses found and not just
one of them.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
When LISTEN_ALL_INTERFACES is not set, Apache should make Ironic API
avaiable on either or both IPv4 and IPv6 sockets, depending on the
addresses requested or found on the system.
Make sure to set the "Listen" directive according to ENABLE_IPV4 and
ENABLE_IPV4, and the VirtualHost when IRONIC_URL_HOSTNAME is present.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Prioritize IPv6 over IPv4 when available to set host_ip in ironic.conf
when LISTEN_ALL_INTERFACES is not set to true.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
As per the Ironic documentation:
"This field [my_ip] does accept an IPv6 address as an override for templates
and URLs, however it is recommended that [DEFAULT]my_ipv6 is used along with
DNS names for service URLs for dual-stack environments."
Fill my_ipv6 when an IPv6 address has been found for binding.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
In a dual-stack scenario, especially when deploying in direct mode via
virtual media, it might be useful to 1) use a hostname to enable "dual IP"
URLs 2) have ironic bind to those two addresses, if found on the system.
To make this possible, this commit introduces:
- a new user environment variable named IRONIC_URL_HOSTNAME, to be used
as immutable external only input, to derive IRONIC_URL_HOST and the
IP addresses to bind on
- a new utility function named "get_ip_of_hostname" to help look up the
A and AAAA records
- additional logic to look for the returned address on the system, for
binding the processes; this new logic has lower priority than
PROVISIONING_IP (which can then be used to enforce one specific IP
version) and PROVISIONING_INTERFACE
Note, while IRONIC_URL_HOSTNAME and PROVISIONING_IP are considered to be
mutually exclusive, IRONIC_URL_HOSTNAME and PROVISIONING_INTERFACE are
not.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The ironic scripts either use PROVISIONING_IP as an input or try to
determine an IP address to bind the sockets to. This results in
IRONIC_IP being defined once the process is complete, and it can carry
either an IPv4 or an IPv6 address.
Likely, the assumption is that on Linux, by default, IPv4-mapped IPv6
addresses can be leveraged to serve both IPv4 and IPv6 through a single
socket. However this is not a good practice and two separate sockets
should be used instead, whenever possible.
This change modifies such logic by
- introducing the variable IRONIC_IPV6 alongside the existing
- matching IRONIC_IP and attempting to populate both variables
Please note that hostname based URLs, with both A and AAAA records, are
also required for a fully working dual-stack configuration.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Commit 2742439 added logic to tentatively identify the interface name
in get_provisioning_interface if the PROVISIONING_IP is provided.
However the same process in then repeated in wait_for_interface_or_ip.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use the previously introduced get_interface_of_ip, to determine if the
PROVISIONING_IP address is actually present on a network interface.
This improves the code readability and enables additional debugging
output.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The way the ironic-image processes are bound to internet sockets is mainly
by PROVISIONING_IP or PROVISIONING_INTERFACE, that is, by looking up a
specific address on an interface, or a specific interface for a workable
address.
Introduce two new utility functions in ironic-common.sh for these two
purposes:
get_interface_of_ip: returns the name of the interface where the IP address
provided as argument is found
get_ip_of_interface: returns the first IP associated to the interface
provided as argument
These two functions will be put into use in subsequent commits.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Whenever PROVISIONING_INTERFACE is not set by the user, function
get_provisioning_interface attempts to determine one, or provide
"provisionign" as default value. However this can cause confusing errors
down the line.
Remove this default value and fail gracefully, with proper logging,
if the PROVISIONING_INTERFACE value is not detected.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
The value of host_ip is determined twice within the ironic.conf.j2 template
file, by means of a relatively hard to read set of conditions.
Avoid this duplication and improve readability by exporting the correct
value once in scripts/configure-ironic.sh. This also leave more room for
more complex evaluations should these be needed in the future.
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
