Add support for ironic-networking standalone service

In support of: metal3-io/metal3-docs#586

Add the ironic-networking service container entry point and
configuration to enable standalone network management of baremetal
nodes via networking-generic-switch (NGS). This allows Ironic to
manage switch port configurations during node provisioning, cleaning,
inspection, servicing, and rescuing operations.

Changes:
- Add runironic-networking entry point and configure-ironic-networking
  script with associated environment variable defaults
- Add ironic-networking.conf.j2 Jinja2 configuration template
- Add NGS_SOURCE and INSTALL_NGS build arguments to Dockerfile and
  build-wheels.sh for optional networking-generic-switch installation
- Update ironic.conf.j2 to conditionally enable the ironic-networking
  network interface and configure JSON-RPC for the networking service
- Update auth-common.sh to accept a configurable config group name so
  it can be reused for ironic_networking_json_rpc authentication
- Add inspection hook local-link-connection and force_dhcp setting
  when networking is enabled
- Document new environment variables in README.md
- Update hack/prepare-irso-tests.sh for NGS source builds

Signed-off-by: Allain Legacy <alegacy@redhat.com>

Author: alegacy

Dockerfile

@@ -61,11 +61,15 @@ FROM $BASE_IMAGE AS ironic-wheel-builder
 ARG UPPER_CONSTRAINTS_FILE=upper-constraints.txt
 ARG IRONIC_SOURCE=eda12b9caf56ce6c454b0ff75a8e50acfe5f5f58 # master
 ARG SUSHY_SOURCE
+ARG NGS_SOURCE=e10fe3898cb4bd69941ceab668692eaf3ce65ac7 # master
+ARG INSTALL_NGS=true
 ARG PIP_VERSION
 ARG SETUPTOOLS_VERSION
 
 ENV IRONIC_SOURCE=${IRONIC_SOURCE} \
     SUSHY_SOURCE=${SUSHY_SOURCE} \
+    NGS_SOURCE=${NGS_SOURCE} \
+    INSTALL_NGS=${INSTALL_NGS} \
     UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE} \
     PIP_VERSION=${PIP_VERSION} \
     SETUPTOOLS_VERSION=${SETUPTOOLS_VERSION}
@@ -142,6 +146,7 @@ cp /tmp/ironic-config/inspector.ipxe.j2 /tmp/ironic-config/httpd-ironic-api.conf
    /templates/
 mkdir -p /etc/ironic
 cp /tmp/ironic-config/ironic.conf.j2 /etc/ironic/
+cp /tmp/ironic-config/ironic-networking.conf.j2 /etc/ironic/
 cp /tmp/ironic-config/httpd.conf.j2 /etc/httpd/conf/
 cp /tmp/ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 cp /tmp/ironic-config/apache2-vmedia.conf.j2 /templates/httpd-vmedia.conf.j2

README.md

@@ -27,6 +27,9 @@ The following entry points are provided:
    the provisioning of baremetal nodes.  Details on Ironic can be found at
    <https://docs.openstack.org/ironic/latest/>.  This is the default entry point
    used by the Dockerfile.
+- `runironic-networking` - Starts the ironic-networking service for standalone
+   network management of baremetal nodes. This service handles switch port
+   configuration for node provisioning, cleaning, and inspection operations.
 - `rundnsmasq` - Runs the dnmasq dhcp server to provide addresses and initiate
    PXE boot of baremetal nodes.  This includes a lightweight TFTP server.
    Details on dnsmasq can be found at
@@ -262,6 +265,39 @@ media HTTP server configuration:
   `true` will make the server enforce its cipher list ordering for TLS version
   up to 1.2, defaults to `false`
 
+## Ironic Networking
+
+The ironic networking configuration can be overridden by various environment
+variables.  The following can serve as an example of those most common settings.
+
+- `IRONIC_NETWORKING_ENABLED` - Enable standalone networking service
+   (default `false`)
+- `IRONIC_NETWORKING_JSON_RPC_HOST` - JSON-RPC host for networking service
+   (default `localhost`)
+- `IRONIC_NETWORKING_JSON_RPC_PORT` - JSON-RPC port for networking service
+   (default `8090`)
+- `IRONIC_NETWORKING_ENABLED_SWITCH_DRIVERS` - Enabled switch drivers (default
+   `generic-switch`)
+- `IRONIC_NETWORKING_SWITCH_CONFIGS` - Path to switch configuration file.
+   Switch configurations and SSH keys should be stored in a Secret and mounted
+   to the Pod as a file and referenced by this variable.
+   (default `${IRONIC_CONF_DIR}/networking/switch-configs.conf`)
+- `IRONIC_NETWORKING_PROVISIONING_NETWORK` - Network details for the
+   provisioning network (e.g., mode=access/native_vlan=123)
+- `IRONIC_NETWORKING_INSPECTION_NETWORK` - Network details for the inspection
+   network (e.g., mode=access/native_vlan=123)
+- `IRONIC_NETWORKING_SERVICING_NETWORK` - Network details for the servicing
+   network (e.g., mode=access/native_vlan=123)
+- `IRONIC_NETWORKING_CLEANING_NETWORK` - Network details for the cleaning
+   network (e.g., mode=access/native_vlan=123)
+- `IRONIC_NETWORKING_RESCUING_NETWORK` - Network details for the rescuing
+   network (e.g., mode=access/native_vlan=123)
+- `IRONIC_NETWORKING_IDLE_NETWORK` - Network details for the idle
+   network (e.g., mode=access/native_vlan=123)
+
+**Note:**  The ironic-networking service requires the `networking-generic-switch`
+  package.
+
 ## Using a read-only root filesystem
 
 The ironic-image can operate with a read-only root filesystem. However,
@@ -277,8 +313,12 @@ share runtime data between Ironic and HTTPD.
 ## Custom source for ironic software
 
 When building the ironic image, it is also possible to specify a
-different source for ironic or the sushy library using the build
-arguments **IRONIC_SOURCE** and **SUSHY_SOURCE**.
+different source for ironic, the sushy library, or NGS using the build
+arguments **IRONIC_SOURCE**, **SUSHY_SOURCE**, and **NGS_SOURCE**.
+The **INSTALL_NGS** build argument (default `true`) controls whether the
+`networking-generic-switch` package is included in the image. Setting
+**NGS_SOURCE** specifies the version to install but is only used when
+**INSTALL_NGS** is `true`.
 The accepted formats are gerrit refs, like _refs/changes/89/860689/2_,
 commit hashes, like _a1fe6cb41e6f0a1ed0a43ba5e17745714f206f1f_,
 repo tags or branches, or a local directory that needs to be under the

build-wheels.sh

@@ -29,6 +29,11 @@ if [[ -n ${SUSHY_SOURCE:-} ]]; then
     sed -i '/^sushy===/d' "${UPPER_CONSTRAINTS_PATH}"
 fi
 
+# Remove networking-generic-switch constraint if building from source
+if [[ -n ${NGS_SOURCE:-} ]]; then
+    sed -i '/^networking-generic-switch===/d' "${UPPER_CONSTRAINTS_PATH}"
+fi
+
 # Build wheels for all packages
 # Note: some packages may not produce wheels (pure Python), but pip wheel handles this
 python3.12 -m pip wheel \

hack/prepare-irso-tests.sh

@@ -28,6 +28,14 @@ if [[ -n "${SUSHY_SOURCE:-}" ]]; then
     fi
     build_args+=(--build-arg SUSHY_SOURCE=sushy)
 fi
+if [[ -n "${NGS_SOURCE:-}" ]]; then
+    if [[ -d "${NGS_SOURCE}" ]]; then
+        cp -ra "${NGS_SOURCE}" sources/networking-generic-switch
+        rm -rf sources/networking-generic-switch/.tox
+        to_delete+=(sources/networking-generic-switch)
+    fi
+    build_args+=(--build-arg NGS_SOURCE=networking-generic-switch)
+fi
 
 "${CONTAINER_RUNTIME}" build -t "${IRONIC_CUSTOM_IMAGE}" "${build_args[@]}" .
 

ironic-config/ironic-networking.conf.j2

@@ -0,0 +1,28 @@
+[DEFAULT]
+debug = true
+auth_strategy = http_basic
+http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
+rpc_transport = json-rpc
+use_stderr = true
+
+[ironic_networking_json_rpc]
+auth_strategy = http_basic
+http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
+host_ip = {{ env.IRONIC_NETWORKING_JSON_RPC_HOST }}
+port = {{ env.IRONIC_NETWORKING_JSON_RPC_PORT }}
+{% if env.IRONIC_TLS_SETUP == "true" %}
+use_ssl = true
+cafile = {{ env.IRONIC_CACERT_FILE }}
+insecure = {{ env.IRONIC_INSECURE }}
+{% endif %}
+
+{% if env.IRONIC_TLS_SETUP == "true" %}
+[ssl]
+cert_file = {{ env.IRONIC_CERT_FILE }}
+key_file = {{ env.IRONIC_KEY_FILE }}
+{% endif %}
+
+[ironic_networking]
+enabled_switch_drivers = {{ env.IRONIC_NETWORKING_ENABLED_SWITCH_DRIVERS }}
+driver_config_dir = {{ env.IRONIC_NETWORKING_DRIVER_CONFIG_DIR }}
+switch_config_file = {{ env.IRONIC_NETWORKING_SWITCH_CONFIGS }}

ironic-config/ironic.conf.j2

@@ -3,7 +3,11 @@ auth_strategy = noauth
 debug = true
 default_deploy_interface = direct
 default_inspect_interface = agent
+{%- if env.IRONIC_NETWORKING_ENABLED | lower == "true" %}
+default_network_interface = ironic-networking
+{% else %}
 default_network_interface = noop
+{% endif -%}
 enabled_bios_interfaces = no-bios,redfish,idrac-redfish
 enabled_boot_interfaces = ipxe,pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,redfish-https
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent,bootc
@@ -13,7 +17,11 @@ enabled_firmware_interfaces = no-firmware,fake,redfish
 enabled_hardware_types = ipmi,idrac,fake-hardware,redfish,manual-management
 enabled_inspect_interfaces = agent,fake,redfish
 enabled_management_interfaces = ipmitool,fake,redfish,idrac-redfish,noop
+{%- if env.IRONIC_NETWORKING_ENABLED | lower == "true" %}
+enabled_network_interfaces = ironic-networking,noop
+{% else %}
 enabled_network_interfaces = noop
+{% endif -%}
 enabled_power_interfaces = ipmitool,fake,redfish,idrac-redfish
 enabled_raid_interfaces = no-raid,agent,fake,redfish,idrac-redfish
 enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,fake
@@ -155,9 +163,10 @@ power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
 extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp={{ env.IRONIC_IPA_COLLECT_LLDP | default('1') }}
-hooks = $default_hooks{% if env.IRONIC_IPA_COLLECT_LLDP | default('1') == '1' %},parse-lldp{% endif %}
+hooks = $default_hooks{% if env.IRONIC_IPA_COLLECT_LLDP | default('1') == '1' %},parse-lldp{% if env.IRONIC_NETWORKING_ENABLED | lower == "true" %},local-link-connection{% endif %}{% endif %}
 add_ports = all
 keep_ports = present
+force_dhcp = {{ env.IRONIC_FORCE_DHCP }}
 
 [auto_discovery]
 enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
@@ -265,3 +274,39 @@ key_file = {{ env.IRONIC_KEY_FILE }}
 {% if env.IRONIC_OCI_AUTH_CONFIG is defined %}
 authentication_config = {{ env.IRONIC_OCI_AUTH_CONFIG }}
 {% endif %}
+
+{% if env.IRONIC_NETWORKING_ENABLED | lower == "true" %}
+[ironic_networking_json_rpc]
+auth_strategy = http_basic
+http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
+host_ip = {{ env.IRONIC_NETWORKING_JSON_RPC_HOST }}
+port = {{ env.IRONIC_NETWORKING_JSON_RPC_PORT }}
+{% if env.IRONIC_TLS_SETUP == "true" %}
+use_ssl = true
+cafile = {{ env.IRONIC_CACERT_FILE }}
+insecure = {{ env.IRONIC_INSECURE }}
+{% endif %}
+{% endif %}
+
+{% if env.IRONIC_NETWORKING_ENABLED | lower == "true" %}
+[ironic_networking]
+rpc_transport = json-rpc
+{%- if env.IRONIC_NETWORKING_IDLE_NETWORK is defined %}
+idle_network = {{ env.IRONIC_NETWORKING_IDLE_NETWORK }}
+{%- endif %}
+{%- if env.IRONIC_NETWORKING_PROVISIONING_NETWORK is defined %}
+provisioning_network = {{ env.IRONIC_NETWORKING_PROVISIONING_NETWORK }}
+{%- endif %}
+{%- if env.IRONIC_NETWORKING_INSPECTION_NETWORK is defined %}
+inspection_network = {{ env.IRONIC_NETWORKING_INSPECTION_NETWORK }}
+{%- endif %}
+{%- if env.IRONIC_NETWORKING_CLEANING_NETWORK is defined %}
+cleaning_network = {{ env.IRONIC_NETWORKING_CLEANING_NETWORK }}
+{%- endif %}
+{%- if env.IRONIC_NETWORKING_RESCUING_NETWORK is defined %}
+rescuing_network = {{ env.IRONIC_NETWORKING_RESCUING_NETWORK }}
+{%- endif %}
+{%- if env.IRONIC_NETWORKING_SERVICING_NETWORK is defined %}
+servicing_network = {{ env.IRONIC_NETWORKING_SERVICING_NETWORK }}
+{%- endif %}
+{% endif %}

ironic-packages-list

@@ -16,3 +16,14 @@ sushy @ git+https://opendev.org/openstack/sushy@{{ env.SUSHY_SOURCE }}
 {% else %}
 sushy
 {% endif %}
+{% if env.INSTALL_NGS | lower == "true" %}
+    {% if env.NGS_SOURCE %}
+        {% if path.isdir('/sources/' + env.NGS_SOURCE) %}
+git+file:///sources/{{ env.NGS_SOURCE }}
+        {% else %}
+networking-generic-switch @ git+https://opendev.org/openstack/networking-generic-switch@{{ env.NGS_SOURCE }}
+        {% endif %}
+    {% else %}
+networking-generic-switch
+    {% endif %}
+{% endif %}

renovate.json

@@ -96,6 +96,20 @@
       ],
       "datasourceTemplate": "pypi",
       "depNameTemplate": "setuptools"
+    },
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
+      "matchStrings": [
+        "ARG NGS_SOURCE=(?<currentDigest>[a-f0-9]{40})\\s+#\\s*(?<currentValue>[^\\n]+)"
+      ],
+      "datasourceTemplate": "git-refs",
+      "depNameTemplate": "networking-generic-switch",
+      "packageNameTemplate": "https://github.com/openstack/networking-generic-switch.git",
+      "versioningTemplate": "loose",
+      "autoReplaceStringTemplate": "ARG NGS_SOURCE={{#if newDigest}}{{{newDigest}}}{{else}}{{{newValue}}}{{/if}} # {{{currentValue}}}"
     }
   ]
 }

scripts/auth-common.sh

@@ -46,22 +46,20 @@ fi
 
 configure_json_rpc_auth()
 {
-    if [[ "${IRONIC_EXPOSE_JSON_RPC}" != "true" ]]; then
-        return
-    fi
+    local GROUP=${1:-json_rpc}
 
     local auth_config_file="/auth/ironic-rpc/auth-config"
     local username_file="/auth/ironic-rpc/username"
     local password_file="/auth/ironic-rpc/password"
     if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
-        crudini --set "${IRONIC_CONFIG}" json_rpc username "$(<${username_file})"
+        crudini --set "${IRONIC_CONFIG}" "${GROUP}" username "$(<${username_file})"
         set +x
-        crudini --set "${IRONIC_CONFIG}" json_rpc password "$(<${password_file})"
+        crudini --set "${IRONIC_CONFIG}" "${GROUP}" password "$(<${password_file})"
         set -x
     elif [[ -f "${auth_config_file}" ]]; then
         echo "WARNING: using auth-config is deprecated, mount a secret directly"
-        # Merge configurations in the "auth" directory into the default ironic configuration file
-        crudini --merge "${IRONIC_CONFIG}" < "${auth_config_file}"
+        # Merge configurations in the "auth" directory into the target group
+        crudini --merge "${IRONIC_CONFIG}" "${GROUP}" < "${auth_config_file}"
     else
         echo "FATAL: no client-side credentials provided for JSON RPC"
         echo "HINT: mount a secret with username and password fields under /auth/ironic-rpc"

scripts/configure-ironic-networking.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/bash
+
+set -euxo pipefail
+
+# No need to rely on this being set by whoever created this service since this
+# only gets run when ironic-networking is enabled.
+export IRONIC_NETWORKING_ENABLED=true
+
+# shellcheck disable=SC1091
+. /bin/tls-common.sh
+# shellcheck disable=SC1091
+. /bin/ironic-common.sh
+# shellcheck disable=SC1091
+. /bin/ironic-networking-common.sh
+# shellcheck disable=SC1091
+. /bin/auth-common.sh
+
+# zero makes it do cpu number detection on Ironic side
+export NUMWORKERS=${NUMWORKERS:-0}
+
+if [[ -f "${IRONIC_CONF_DIR}/ironic.conf" ]]; then
+    # Make a copy of the original supposed empty configuration file
+    cp "${IRONIC_CONF_DIR}/ironic.conf" "${IRONIC_CONF_DIR}/ironic.conf.orig"
+fi
+
+# The original ironic.conf is empty, and can be found in ironic.conf.orig
+render_j2_config "/etc/ironic/ironic-networking.conf.j2" \
+    "${IRONIC_CONF_DIR}/ironic.conf"
+
+configure_json_rpc_auth "ironic_networking_json_rpc"
+
+# Make sure ironic traffic bypasses any proxies
+export NO_PROXY="${NO_PROXY:-},${IRONIC_IP}"
+
+# Ensure driver config directory exists
+mkdir -p "${IRONIC_NETWORKING_DRIVER_CONFIG_DIR}"