suse-edge/Factory
SHA256
14
0
Fork 15
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Dual-stack support #213

Merged
mchiappero merged 12 commits from mchiappero/Factory:dual-stack into main 2025-08-05 17:35:27 +02:00
Conversation 4 Commits 12 Files Changed 8 +223 -38
mchiappero commented 2025-07-24 13:46:17 +02:00
Owner
Copy Link

Dual stack changes, opening mainly as I need some automated build.

Dual stack changes, opening mainly as I need some automated build.
mchiappero added 24 commits 2025-07-24 13:46:18 +02:00
Align to v29.0.0 6c6544a608 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use correct paths and modules for Apache df4fce4388 
Correct the path of the Apache modules for a SUSE image.

Also keep a couple of modules disabled.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use ironic-suse user/group in Apache for media cc08766fdf 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use ironic-suse user/group in Apache for API dc68a1d44b 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Change GRUB path in ironic.conf 37a92b02c4 
Correct path for grub.cfg on a SUSE system.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use arch named IPA file in IMAGE_CACHE_PREFIX db28299e63 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use arch specific file for IPA 728354e926 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use arch specific ESP img 589be0a21f 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Disable the network schema check to allow for nmstate definitions 909aa27611 
Bypass the OpenStack network-data format validation, to allow for the
nmstate based one we instead use (which would otherwise fail).

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Update the destination path of Jinjia templates 7da89fbe2b 
Previously .j2 files used to be copied to /etc before being
instantiated. In order to make the image potentially read only,
move the templates to /tmp.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Force the use of Python 3.11 58f9552a26 
SLE 15.6 provides Python 3.11, make sure it's enforced.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Remove unused prometheus exporter 16d2670d54 
The Prometheus exporter is effectively, not only unused, but
unusable, due to missing dependencies. Since currently we
don't have use case for it, opt for dropping the exporter
entirely from the image.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Make the new scripts executable 5b8cbc57e1 
v29.0.0 add a couple of new scripts, such as ironic-probe.sh; make sure
they have the 'executable' flag.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Align configure-nonroot.sh
All checks were successful
Check Release Manifest Local Charts Versions / Check Release Manifest Local Charts Versions (pull_request) Successful in 8s
Details
Build PR in OBS / Build PR in OBS (pull_request_target) Successful in 4m3s
Details
05aa1341a9 
Try to reuse as much as possible of the upstream configure-nonroot.sh

Co-authored-by: Nicolas Belouin <nicolas.belouin@suse.com>
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Add two new utility functions for later refactoring 24aa5ea7c6 
The way the ironic-image processes are bound to internet sockets is mainly
by PROVISIONING_IP or PROVISIONING_INTERFACE, that is, by looking up a
specific address on an interface, or a specific interface for a workable
address.

Introduce two new utility functions in ironic-common.sh for these two
purposes:
get_interface_of_ip: returns the name of the interface where the IP address
                     provided as argument is found
get_ip_of_interface: returns the first IP associated to the interface
                     provided as argument

These two functions will be put into use in subsequent commits.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Introduce IRONIC_IPV6 to bind on IPv6 sockets 4c6ba24847 
The ironic scripts either use PROVISIONING_IP as an input or try to
determine an IP address to bind the sockets to. This results in
IRONIC_IP being defined once the process is complete, and it can carry
either an IPv4 or an IPv6 address.

Likely, the assumption is that on Linux, by default, IPv4-mapped IPv6
addresses can be leveraged to serve both IPv4 and IPv6 through a single
socket. However this is not a good practice and two separate sockets
should be used instead, whenever possible.

This change modifies such logic by
- introducing the variable IRONIC_IPV6 alongside the existing
- matching IRONIC_IP and attempting to populate both variables

Please note that hostname based URLs, with both A and AAAA records, are
also required for a fully working dual-stack configuration.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Leverage get_interface_of_ip to find PROVISIONING_IP 63aa0c9d9d 
Use the previously introduced get_interface_of_ip, to determine if the
PROVISIONING_IP address is actually present on a network interface.

This improves the code readability and enables additional debugging
output.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Revert 2742439 being now redundant 91d0e9cada 
Commit 2742439 added logic to tentatively identify the interface name
in get_provisioning_interface if the PROVISIONING_IP is provided.
However the same process in then repeated in wait_for_interface_or_ip.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Introduce hostname c93cb93305 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
Use my_ipv6 when IRONIC_IPV6 is defined 8300a87df2 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
let ironic API use v4 and v6 sockets 2ee658c661 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
make apache services truly dual socket b016fd2628 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
let httpd bind to both v4 and v6 if defined 225691f163 
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
simplify the definition of host_ip on ironic
Some checks failed
Check Release Manifest Local Charts Versions / Check Release Manifest Local Charts Versions (pull_request) Successful in 13s
Details
Build PR in OBS / Build PR in OBS (pull_request_target) Failing after 3h11m28s
Details
0bc2daef56
mchiappero force-pushed dual-stack from 0bc2daef56 to 412c22c5dc 2025-07-24 14:12:24 +02:00 Compare
mchiappero force-pushed dual-stack from 412c22c5dc to 5488424be6 2025-07-24 16:35:49 +02:00 Compare
mchiappero added 1 commit 2025-07-24 17:01:15 +02:00
merge upstream
All checks were successful
Check Release Manifest Local Charts Versions / Check Release Manifest Local Charts Versions (pull_request) Successful in 0s
Details
Build PR in OBS / Build PR in OBS (pull_request_target) Successful in 1m21s
Details
81f7820063
mchiappero force-pushed dual-stack from 81f7820063 to 84c10d362d 2025-07-25 12:28:00 +02:00 Compare
mchiappero force-pushed dual-stack from 84c10d362d to 64dbd45461 2025-07-25 12:43:36 +02:00 Compare
mchiappero added 1 commit 2025-07-25 13:36:21 +02:00
debugging output
All checks were successful
Check Release Manifest Local Charts Versions / Check Release Manifest Local Charts Versions (pull_request) Successful in 10s
Details
Build PR in OBS / Build PR in OBS (pull_request_target) Successful in 4m16s
Details
c508493bd6
mchiappero force-pushed dual-stack from c508493bd6 to 39cc72476a 2025-07-25 18:24:27 +02:00 Compare
mchiappero force-pushed dual-stack from 39cc72476a to 3075872a0c 2025-07-25 18:35:32 +02:00 Compare
mchiappero force-pushed dual-stack from 3075872a0c to e6481eb220 2025-07-25 22:28:40 +02:00 Compare
mchiappero force-pushed dual-stack from e6481eb220 to 653a8e5b2c 2025-07-26 00:19:03 +02:00 Compare
mchiappero force-pushed dual-stack from 653a8e5b2c to 1eb9fd6318 2025-07-28 11:02:27 +02:00 Compare
mchiappero force-pushed dual-stack from 1eb9fd6318 to f98d3d5c1e 2025-07-28 11:28:32 +02:00 Compare
mchiappero force-pushed dual-stack from f98d3d5c1e to a3096005fa 2025-07-28 15:13:02 +02:00 Compare
mchiappero force-pushed dual-stack from a3096005fa to 84174e428c 2025-07-28 16:21:57 +02:00 Compare
mchiappero force-pushed dual-stack from 84174e428c to 8630cca617 2025-07-28 22:25:41 +02:00 Compare
mchiappero force-pushed dual-stack from 8630cca617 to dbc8e0975b 2025-07-28 23:08:16 +02:00 Compare
mchiappero force-pushed dual-stack from dbc8e0975b to bb815874ae 2025-07-29 07:45:46 +02:00 Compare
mchiappero added 1 commit 2025-07-29 08:34:46 +02:00
Temporary debugging prints
All checks were successful
Check Release Manifest Local Charts Versions / Check Release Manifest Local Charts Versions (pull_request) Successful in -4s
Details
Build PR in OBS / Build PR in OBS (pull_request_target) Successful in 6m34s
Details
9c526f084e
mchiappero force-pushed dual-stack from 9c526f084e to f260540edb 2025-07-29 10:29:13 +02:00 Compare
mchiappero force-pushed dual-stack from f260540edb to 3b51a9d144 2025-07-29 11:03:52 +02:00 Compare
mchiappero changed title from WIP: dual-stack to dual-stack 2025-07-29 11:08:30 +02:00
mchiappero requested review from amorgante 2025-07-29 11:08:46 +02:00
mchiappero requested review from nbelouin 2025-07-29 11:08:46 +02:00
mchiappero requested review from steven.hardy 2025-07-29 11:08:46 +02:00
mchiappero commented 2025-07-29 11:18:07 +02:00
Author
Owner
Copy Link

Okay, I think it's good to go now, if you could PTAL... There are only a couple of things I would like to explore, that is, 1) the use of IRONIC_URL_HOSTNAME in ironic.conf for CONDUCTOR_HOST and host_ip when available 2) the use of ::1 when we have IRONIC_IPV6 for ProxyPass in Apache.

Other than that, I have a few manual tests I would like to run before being reasonably safe it's all right, but it's starting to look good to me, so take a look and let me know if there is anything that doesn't look good to you.

On a side note, setting the LISTEN_ALL_INTERFACES to false requires a change for the liveness and readiness probes... I wonder if we should let the user choose if to bind on localhost in addition to the provisioning/hostname IP(s). What do you think?

Okay, I think it's good to go now, if you could PTAL... There are only a couple of things I would like to explore, that is, 1) the use of IRONIC_URL_HOSTNAME in ironic.conf for CONDUCTOR_HOST and host_ip when available 2) the use of ::1 when we have IRONIC_IPV6 for ProxyPass in Apache. Other than that, I have a few manual tests I would like to run before being reasonably safe it's all right, but it's starting to look good to me, so take a look and let me know if there is anything that doesn't look good to you. On a side note, setting the LISTEN_ALL_INTERFACES to false requires a change for the liveness and readiness probes... I wonder if we should let the user choose if to bind on localhost in addition to the provisioning/hostname IP(s). What do you think?
mchiappero commented 2025-07-29 11:19:19 +02:00
Author
Owner
Copy Link

Oh, and need to reword a few commit messages.

Oh, and need to reword a few commit messages.
mchiappero force-pushed dual-stack from 3b51a9d144 to 54357a748a 2025-07-29 18:46:44 +02:00 Compare
mchiappero force-pushed dual-stack from 54357a748a to 6dd551f7db 2025-07-29 18:55:35 +02:00 Compare
mchiappero force-pushed dual-stack from 6dd551f7db to e5f765ec69 2025-07-30 10:09:32 +02:00 Compare
nbelouin reviewed 2025-07-30 10:38:36 +02:00
nbelouin left a comment
Owner
Copy Link

LGTM overall, few things need attention, would be nice to have a matching PR upstream, so that we keep in sync as much as possible.

LGTM overall, few things need attention, would be nice to have a matching PR upstream, so that we keep in sync as much as possible.
ironic-image/Dockerfile Outdated
@@ -24,3 +24,3 @@
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
nbelouin commented 2025-07-30 10:30:10 +02:00
Owner
Copy Link

nit: might be easier to maintain by having a first RUN instruction with all packages common for the two architectures, then a RUN line for each architecture with arch-specific items

nit: might be easier to maintain by having a first RUN instruction with all packages common for the two architectures, then a RUN line for each architecture with arch-specific items
👍 1
mchiappero commented 2025-07-30 10:59:55 +02:00
Author
Owner
Copy Link

Or a variable pulled by both, to avoid unnecessary layers in the container.

Or a variable pulled by both, to avoid unnecessary layers in the container.
nbelouin commented 2025-07-30 11:31:51 +02:00
Owner
Copy Link

The layers here are in first stage container, and OBS will not be able to follow a variable here, so better split in two here

The layers here are in first stage container, and OBS will not be able to follow a variable here, so better split in two here
👍 1
ironic-image/scripts/ironic-common.sh Outdated
@@ -43,4 +124,1 @@
local interface="provisioning"
if [[ -n "${PROVISIONING_IP}" ]]; then
nbelouin commented 2025-07-30 10:36:49 +02:00
Owner
Copy Link

We may want to keep this kind of behavior of setting the interface from the IP as this information is used by PXE setup.

We may want to keep this kind of behavior of setting the interface from the IP as this information is used by PXE setup.
mchiappero commented 2025-07-30 10:46:54 +02:00
Author
Owner
Copy Link

It still works that way, the interface name is derived at wait_for_interface_or_ip now from the PROVISIONING_IP (fixing a lookup at a point where the IP might not be present anyway) and set into PROVISIONING_INTERFACE . What changes is the use of "provisioning" as default value, which will result in an obscure error when looking it up on the system: it's best to fail cleanly.

That being said, since PROVISIONING_INTERFACE is an input, it should not be changed, it's one of the many hints of how little design and thinking it has gone through these scripts.

It still works that way, the interface name is derived at wait_for_interface_or_ip now from the PROVISIONING_IP (fixing a lookup at a point where the IP might not be present anyway) and set into PROVISIONING_INTERFACE . What changes is the use of "provisioning" as default value, which will result in an obscure error when looking it up on the system: it's best to fail cleanly. That being said, since PROVISIONING_INTERFACE is an input, it should not be changed, it's one of the many hints of how little design and thinking it has gone through these scripts.
mchiappero commented 2025-07-30 14:28:31 +02:00
Author
Owner
Copy Link

@nbelouin @steven.hardy Regarding the VirtualHost directive for the Ironic API, I wonder if it shouldn't include any IRONIC_EXTERNAL_IP or IRONIC_EXTERNAL_HTTP_URL. If so... it has always been buggy then?

Edit: I mean, listen to ALL, but Ironic API that should be reachable by both the provisioning network (either by hostname or IPs) and the BMC one (either by hostname or IPs). Unfortunately Ironic can have many different combinations and corner cases...

@nbelouin @steven.hardy Regarding the VirtualHost directive for the Ironic API, I wonder if it shouldn't include any IRONIC_EXTERNAL_IP or IRONIC_EXTERNAL_HTTP_URL. If so... it has always been buggy then? Edit: I mean, listen to ALL, but Ironic API that should be reachable by both the provisioning network (either by hostname or IPs) and the BMC one (either by hostname or IPs). Unfortunately Ironic can have many different combinations and corner cases...
mchiappero changed title from dual-stack to Dual-stack support 2025-08-04 16:45:01 +02:00
mchiappero force-pushed dual-stack from e5f765ec69 to e2d38a867c 2025-08-04 16:48:22 +02:00 Compare
mchiappero merged commit e2d38a867c into main 2025-08-05 17:35:27 +02:00
mchiappero deleted branch dual-stack 2025-08-05 17:35:27 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
nbelouin
steven.hardy
amorgante
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
amorgante atanasdinov atrendafilov dbekhit dprodanov eminguez fdegirmenci geoagriogiannis ipetrov117 jtomasek kzhelyazkov mchiappero nbelouin roxenham steven.hardy
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: suse-edge/Factory#213
No description provided.
Delete Branch "mchiappero/Factory:dual-stack"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?