diff --git a/controllers/ironicconductor_controller.go b/controllers/ironicconductor_controller.go index 5ef70677..fbe8de0c 100644 --- a/controllers/ironicconductor_controller.go +++ b/controllers/ironicconductor_controller.go @@ -837,6 +837,7 @@ func (r *IronicConductorReconciler) generateServiceConfigMaps( "common.sh": "/common/bin/common.sh", "get_net_ip": "/common/bin/get_net_ip", "runlogwatch.sh": "/common/bin/runlogwatch.sh", + "pxe-init.sh": "/common/bin/pxe-init.sh", }, Labels: cmLabels, }, diff --git a/controllers/ironicinspector_controller.go b/controllers/ironicinspector_controller.go index 84297200..b2a1b654 100644 --- a/controllers/ironicinspector_controller.go +++ b/controllers/ironicinspector_controller.go @@ -1462,6 +1462,7 @@ func (r *IronicInspectorReconciler) generateServiceConfigMaps( "common.sh": "/common/bin/common.sh", "get_net_ip": "/common/bin/get_net_ip", "runlogwatch.sh": "/common/bin/runlogwatch.sh", + "pxe-init.sh": "/common/bin/pxe-init.sh", }, Labels: cmLabels, }, diff --git a/pkg/ironic/initcontainer.go b/pkg/ironic/initcontainer.go index 3e6be6a1..88c6ab06 100644 --- a/pkg/ironic/initcontainer.go +++ b/pkg/ironic/initcontainer.go @@ -116,26 +116,6 @@ func InitContainer(init APIDetails) []corev1.Container { var containers []corev1.Container - if init.PxeInit { - pxeInit := corev1.Container{ - Name: "pxe-init", - Image: init.PxeContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - }, - Command: []string{ - "/bin/bash", - }, - Args: []string{ - "-c", - PxeInitContainerCommand, - }, - Env: envs, - VolumeMounts: init.VolumeMounts, - } - containers = append(containers, pxeInit) - } - initContainer := corev1.Container{ Name: "init", Image: init.ContainerImage, @@ -167,5 +147,26 @@ func InitContainer(init APIDetails) []corev1.Container { containers = append(containers, ipaInit) } + if init.PxeInit { + pxeInit := corev1.Container{ + Name: "pxe-init", + Image: init.PxeContainerImage, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + Privileged: &init.Privileged, + }, + Command: []string{ + "/bin/bash", + }, + Args: []string{ + "-c", + PxeInitContainerCommand, + }, + Env: envs, + VolumeMounts: init.VolumeMounts, + } + containers = append(containers, pxeInit) + } + return containers } diff --git a/pkg/ironicconductor/statefulset.go b/pkg/ironicconductor/statefulset.go index 6811eb99..b3c0d502 100644 --- a/pkg/ironicconductor/statefulset.go +++ b/pkg/ironicconductor/statefulset.go @@ -340,6 +340,7 @@ func StatefulSet( VolumeMounts: initVolumeMounts, PxeInit: true, ConductorInit: true, + Privileged: true, DeployHTTPURL: deployHTTPURL, IngressDomain: ingressDomain, ProvisionNetwork: instance.Spec.ProvisionNetwork, diff --git a/pkg/ironicinspector/initcontainer.go b/pkg/ironicinspector/initcontainer.go index 5a9e9ece..31537ada 100644 --- a/pkg/ironicinspector/initcontainer.go +++ b/pkg/ironicinspector/initcontainer.go @@ -46,7 +46,7 @@ const ( InitContainerCommand = "/usr/local/bin/container-scripts/init.sh" // PxeInitContainerCommand - - PxeInitContainerCommand = "/usr/local/bin/container-scripts/pxe-init.sh" + PxeInitContainerCommand = "/usr/local/bin/container-scripts/inspector-pxe-init.sh" ) // InitContainer - init container for Ironic Inspector pods @@ -128,12 +128,31 @@ func InitContainer(init APIDetails) []corev1.Container { } containers = append(containers, inspectorInit) + if init.IpaInit { + ipaInit := corev1.Container{ + Name: "ironic-python-agent-init", + Image: init.IronicPythonAgentImage, + SecurityContext: &corev1.SecurityContext{ + Privileged: &init.Privileged, + }, + Env: imageCopyEnvs, + VolumeMounts: init.VolumeMounts, + } + containers = append(containers, ipaInit) + } + if init.PxeInit { pxeInit := corev1.Container{ Name: "inspector-pxe-init", Image: init.PxeContainerImage, SecurityContext: &corev1.SecurityContext{ RunAsUser: &runAsUser, + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{ + "SYS_CHROOT", + "SETFCAP", + }, + }, }, Command: []string{ "/bin/bash", @@ -145,18 +164,5 @@ func InitContainer(init APIDetails) []corev1.Container { containers = append(containers, pxeInit) } - if init.IpaInit { - ipaInit := corev1.Container{ - Name: "ironic-python-agent-init", - Image: init.IronicPythonAgentImage, - SecurityContext: &corev1.SecurityContext{ - Privileged: &init.Privileged, - }, - Env: imageCopyEnvs, - VolumeMounts: init.VolumeMounts, - } - containers = append(containers, ipaInit) - } - return containers } diff --git a/pkg/ironicinspector/statefulset.go b/pkg/ironicinspector/statefulset.go index c0afe7a7..8429a5b2 100644 --- a/pkg/ironicinspector/statefulset.go +++ b/pkg/ironicinspector/statefulset.go @@ -351,6 +351,7 @@ func StatefulSet( VolumeMounts: initVolumeMounts, PxeInit: true, IpaInit: true, + Privileged: true, InspectorHTTPURL: inspectorHTTPURL, IngressDomain: ingressDomain, InspectionNetwork: instance.Spec.InspectionNetwork, diff --git a/templates/common/bin/common.sh b/templates/common/bin/common.sh index fd352b93..075db52a 100755 --- a/templates/common/bin/common.sh +++ b/templates/common/bin/common.sh @@ -1,4 +1,4 @@ -#!/bin//bash +#!/bin/bash # # Copyright 2022 Red Hat Inc. # diff --git a/templates/common/bin/ironic-init.sh b/templates/common/bin/ironic-init.sh index c047dbac..e7ab5546 100755 --- a/templates/common/bin/ironic-init.sh +++ b/templates/common/bin/ironic-init.sh @@ -1,4 +1,4 @@ -#!/bin//bash +#!/bin/bash # # Copyright 2023 Red Hat Inc. # diff --git a/templates/ironicconductor/bin/pxe-init.sh b/templates/common/bin/pxe-init.sh similarity index 54% rename from templates/ironicconductor/bin/pxe-init.sh rename to templates/common/bin/pxe-init.sh index 261718b8..458d527d 100755 --- a/templates/ironicconductor/bin/pxe-init.sh +++ b/templates/common/bin/pxe-init.sh @@ -1,4 +1,4 @@ -#!/bin//bash +#!/bin/bash # # Copyright 2020 Red Hat Inc. # @@ -15,12 +15,14 @@ # under the License. set -ex + # Create TFTP, HTTP serving directories -mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg +if [ ! -d "/var/lib/ironic/tftpboot/pxelinux.cfg" ]; then + mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg +fi if [ ! -d "/var/lib/ironic/httpboot" ]; then - mkdir /var/lib/ironic/httpboot + mkdir -p /var/lib/ironic/httpboot fi - # Check for expected EFI directories if [ -d "/boot/efi/EFI/centos" ]; then efi_dir=centos @@ -41,3 +43,35 @@ for dir in httpboot tftpboot; do # Ensure all files are readable chmod -R +r /var/lib/ironic/$dir done + +# Patch ironic-python-agent with custom CA certificates +if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/ironic/httpboot/ironic-python-agent.initramfs" ]; then + # Extract the initramfs + cd / + mkdir initramfs + pushd initramfs + zcat /var/lib/ironic/httpboot/ironic-python-agent.initramfs | cpio -idmV + popd + + # Copy the CA certificates + cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/ + echo update-ca-trust | unshare -r chroot ./initramfs + + # Repack the initramfs + pushd initramfs + find . | cpio -o -c --quiet -R root:root | gzip -1 > /var/lib/ironic/httpboot/ironic-python-agent.initramfs +fi + +# Build an ESP image +pushd /var/lib/ironic/httpboot +if [ ! -a "esp.img" ]; then + dd if=/dev/zero of=esp.img bs=4096 count=1024 + mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img + + mmd -i esp.img EFI + mmd -i esp.img EFI/BOOT + mcopy -i esp.img -v bootx64.efi ::EFI/BOOT + mcopy -i esp.img -v grubx64.efi ::EFI/BOOT + mdir -i esp.img ::EFI/BOOT; +fi +popd diff --git a/templates/common/bin/runlogwatch.sh b/templates/common/bin/runlogwatch.sh index 7555eaf5..0478d131 100755 --- a/templates/common/bin/runlogwatch.sh +++ b/templates/common/bin/runlogwatch.sh @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/bin/bash # Ramdisk logs path LOG_DIR=${LOG_DIR:-/var/lib/ironic/ramdisk-logs} diff --git a/templates/ironicconductor/bin/init.sh b/templates/ironicconductor/bin/init.sh index 10c45eb4..d87430e8 100755 --- a/templates/ironicconductor/bin/init.sh +++ b/templates/ironicconductor/bin/init.sh @@ -1,4 +1,4 @@ -#!/bin//bash +#!/bin/bash # # Copyright 2020 Red Hat Inc. # @@ -54,16 +54,3 @@ fi if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then mkdir /var/lib/ironic/ramdisk-logs fi -# Build an ESP image -pushd /var/lib/ironic/httpboot -if [ ! -a "esp.img" ]; then - dd if=/dev/zero of=esp.img bs=4096 count=1024 - mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img - - mmd -i esp.img EFI - mmd -i esp.img EFI/BOOT - mcopy -i esp.img -v bootx64.efi ::EFI/BOOT - mcopy -i esp.img -v grubx64.efi ::EFI/BOOT - mdir -i esp.img ::EFI/BOOT; -fi -popd diff --git a/templates/ironicinspector/bin/init.sh b/templates/ironicinspector/bin/init.sh index 8b505eff..67510999 100755 --- a/templates/ironicinspector/bin/init.sh +++ b/templates/ironicinspector/bin/init.sh @@ -1,4 +1,4 @@ -#!/bin//bash +#!/bin/bash # # Copyright 2023 Red Hat Inc. # @@ -20,6 +20,9 @@ export TRANSPORTURL=${TransportURL:-""} export CUSTOMCONF=${CustomConf:-""} +if [ ! -d "/var/lib/ironic/httpboot" ]; then + mkdir /var/lib/ironic/httpboot +fi if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then mkdir /var/lib/ironic/ramdisk-logs fi diff --git a/templates/ironicinspector/bin/pxe-init.sh b/templates/ironicinspector/bin/inspector-pxe-init.sh similarity index 61% rename from templates/ironicinspector/bin/pxe-init.sh rename to templates/ironicinspector/bin/inspector-pxe-init.sh index 32d380b0..1a4990bd 100755 --- a/templates/ironicinspector/bin/pxe-init.sh +++ b/templates/ironicinspector/bin/inspector-pxe-init.sh @@ -18,10 +18,6 @@ set -ex # Get the statefulset pod index export PODINDEX=$(echo ${HOSTNAME##*-}) -# Create TFTP, HTTP serving directories -mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg -mkdir -p /var/lib/ironic/httpboot - # DHCP server configuration export InspectorNetworkIP=$(/usr/local/bin/container-scripts/get_net_ip ${InspectionNetwork}) export INSPECTOR_HTTP_URL=$(python3 -c 'import os; print(os.environ["InspectorHTTPURL"] % os.environ)') @@ -38,23 +34,5 @@ envsubst < ${DNSMASQ_CFG} | tee ${DNSMASQ_CFG} export INSPECTOR_IPXE=/var/lib/config-data/merged/inspector.ipxe envsubst < ${INSPECTOR_IPXE} | tee ${INSPECTOR_IPXE} -# Check for expected EFI directories -if [ -d "/boot/efi/EFI/centos" ]; then - efi_dir=centos -elif [ -d "/boot/efi/EFI/redhat" ]; then - efi_dir=redhat -else - echo "No EFI directory detected" - exit 1 -fi - -# Copy iPXE and grub files to tftpboot, httpboot -for dir in httpboot tftpboot; do - cp /usr/share/ipxe/ipxe-snponly-x86_64.efi /var/lib/ironic/$dir/snponly.efi - cp /usr/share/ipxe/undionly.kpxe /var/lib/ironic/$dir/undionly.kpxe - cp /usr/share/ipxe/ipxe.lkrn /var/lib/ironic/$dir/ipxe.lkrn - cp /boot/efi/EFI/$efi_dir/shimx64.efi /var/lib/ironic/$dir/bootx64.efi - cp /boot/efi/EFI/$efi_dir/grubx64.efi /var/lib/ironic/$dir/grubx64.efi - # Ensure all files are readable - chmod -R +r /var/lib/ironic/$dir -done +# run common pxe-init script +/usr/local/bin/container-scripts/pxe-init.sh