Make Metal3 stack persistent via quadlets (flag-controlled) (#221)

* Make Metal3 stack persistent via quadlets (flag-controlled)

Add metal3_persistent flag (default: false) to deploy_ironic.yaml and
deploy_bmo.yaml. When false (phase 3), the existing ephemeral podman
behaviour is preserved. When true (phase 7), quadlet files are deployed
to /etc/containers/systemd/ so systemd manages the Metal3 services and
they survive an LZ reboot.

New quadlet templates:
- metal3-ironic.pod.j2 (Network=host pod)
- metal3-ironic-api.container.j2 (Pull=never, conditional SSL CA)
- metal3-httpd.container.j2
- metal3-bmo.container.j2 (After=metal3-ironic-api.service)

New task files:
- deploy_ironic_containers.yaml – ephemeral path (extracted from deploy_ironic.yaml)
- deploy_ironic_quadlet_units.yaml – persistent path
- deploy_bmo_container.yaml – ephemeral path (extracted from deploy_bmo.yaml)
- deploy_bmo_quadlet_unit.yaml – persistent path
- configure_metal3_teardown.yaml – manual decommission helper

07-configure-discovery.yaml sets metal3_persistent: true before the
Metal3 deployment tasks so phase 7 uses the quadlet path.

https://redhat.atlassian.net/browse/MGMT-22877

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>

Assisted-by: Claude <noreply@anthropic.com>

* remove unused configure_metal3_teardown.yaml

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>

---------

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>

Author: rporres

playbooks/07-configure-discovery.yaml

@@ -6,6 +6,10 @@
     - name: Load common variables
       ansible.builtin.include_tasks: common/load-vars.yaml
 
+    - name: Enable persistent Metal3 deployment
+      ansible.builtin.set_fact:
+        metal3_persistent: true
+
     - name: Deploy Metal3 common resources
       ansible.builtin.include_tasks: "../playbooks/tasks/deploy_metal3_common.yaml"
 

playbooks/tasks/deploy_bmo.yaml

@@ -13,13 +13,21 @@
     metal3_baremetal_operator_image: "{{ r_baremetal_operator_image.stdout }}"
 
 - name: Create podman secret for kubeconfig
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_secret:
     name: metal3-kubeconfig
     data: "{{ lookup('file', workingDir + '/ocp-cluster/auth/kubeconfig') }}"
     state: present
     force: false
   no_log: true
 
+- name: Pre-pull baremetal-operator image
+  become: "{{ metal3_persistent | default(false) | bool }}"
+  containers.podman.podman_image:
+    name: "{{ metal3_baremetal_operator_image }}"
+    auth_file: "{{ pullSecretPath }}"
+    state: present
+
 - name: Verify Ironic is accessible before deploying BMO
   ansible.builtin.uri:
     url: "http://{{ lzBmcIP }}:6385/v1/"
@@ -34,52 +42,16 @@
   until: r_ironic_check is succeeded
   when: metal3_bmo_wait_for_ironic | default(true) | bool
 
-- name: Run baremetal-operator container
-  containers.podman.podman_container:
-    name: baremetal-operator
-    image: "{{ metal3_baremetal_operator_image }}"
-    authfile: "{{ pullSecretPath }}"
-    user: "65532:65532"
-    cap_drop:
-      - ALL
-    security_opt:
-      - no-new-privileges
-    secrets:
-      - metal3-kubeconfig,type=mount,target=/kubeconfig/config,uid=65532,gid=65532,mode=0400
-      - metal3-ironic-username,type=mount,target=/auth/ironic/username,uid=65532,gid=65532,mode=0400
-      - metal3-ironic-password,type=mount,target=/auth/ironic/password,uid=65532,gid=65532,mode=0400
-    env:
-      KUBECONFIG: /kubeconfig/config
-      IRONIC_ENDPOINT: http://{{ lzBmcIP }}:6385/v1/
-      WATCH_NAMESPACE: infraenv
-      LIVE_ISO_FORCE_PERSISTENT_BOOT_DEVICE: Never
-      METAL3_AUTH_ROOT_DIR: /auth
-    command:
-      - /baremetal-operator
-      - --webhook-port=0
-      - --metrics-addr=0
-      - --health-addr=0
-      - --dev
-      - --enable-leader-election=false
-    state: started
-
-- name: Wait for baremetal-operator container to be running
-  containers.podman.podman_container_info:
-    name: baremetal-operator
-  register: r_bmo_ready
-  retries: 60
-  delay: 5
-  until: >
-    r_bmo_ready.containers | length > 0 and
-    r_bmo_ready.containers[0].State.Status == 'running'
-  changed_when: false
+- name: Deploy BMO container (ephemeral)
+  when: not (metal3_persistent | default(false) | bool)
+  ansible.builtin.include_tasks: deploy_bmo_container.yaml
 
-- name: Display baremetal-operator container status
-  containers.podman.podman_container_info:
+- name: Remove ephemeral baremetal-operator container before persistent deployment
+  when: metal3_persistent | default(false) | bool
+  containers.podman.podman_container:
     name: baremetal-operator
-  register: r_bmo_status
+    state: absent
 
-- name: Show baremetal-operator status
-  ansible.builtin.debug:
-    msg: "Container: {{ r_bmo_status.containers[0].Name }} | State: {{ r_bmo_status.containers[0].State.Status }}"
-  when: r_bmo_status.containers | length > 0
+- name: Deploy BMO via quadlet (persistent)
+  when: metal3_persistent | default(false) | bool
+  ansible.builtin.include_tasks: deploy_bmo_quadlet_unit.yaml

playbooks/tasks/deploy_bmo_container.yaml

@@ -0,0 +1,52 @@
+---
+# BMO ephemeral container deployment (non-persistent path)
+
+- name: Run baremetal-operator container
+  containers.podman.podman_container:
+    name: baremetal-operator
+    image: "{{ metal3_baremetal_operator_image }}"
+    authfile: "{{ pullSecretPath }}"
+    user: "65532:65532"
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges
+    secrets:
+      - metal3-kubeconfig,type=mount,target=/kubeconfig/config,uid=65532,gid=65532,mode=0400
+      - metal3-ironic-username,type=mount,target=/auth/ironic/username,uid=65532,gid=65532,mode=0400
+      - metal3-ironic-password,type=mount,target=/auth/ironic/password,uid=65532,gid=65532,mode=0400
+    env:
+      KUBECONFIG: /kubeconfig/config
+      IRONIC_ENDPOINT: http://{{ lzBmcIP }}:6385/v1/
+      WATCH_NAMESPACE: infraenv
+      LIVE_ISO_FORCE_PERSISTENT_BOOT_DEVICE: Never
+      METAL3_AUTH_ROOT_DIR: /auth
+    command:
+      - /baremetal-operator
+      - --webhook-port=0
+      - --metrics-addr=0
+      - --health-addr=0
+      - --dev
+      - --enable-leader-election=false
+    state: started
+
+- name: Wait for baremetal-operator container to be running
+  containers.podman.podman_container_info:
+    name: baremetal-operator
+  register: r_bmo_ready
+  retries: 60
+  delay: 5
+  until: >
+    r_bmo_ready.containers | length > 0 and
+    r_bmo_ready.containers[0].State.Status == 'running'
+  changed_when: false
+
+- name: Display baremetal-operator container status
+  containers.podman.podman_container_info:
+    name: baremetal-operator
+  register: r_bmo_status
+
+- name: Show baremetal-operator status
+  ansible.builtin.debug:
+    msg: "Container: {{ r_bmo_status.containers[0].Name }} | State: {{ r_bmo_status.containers[0].State.Status }}"
+  when: r_bmo_status.containers | length > 0

playbooks/tasks/deploy_bmo_quadlet_unit.yaml

@@ -0,0 +1,39 @@
+---
+# BMO persistent deployment via quadlet unit
+
+- name: Deploy metal3-bmo container quadlet
+  become: true
+  ansible.builtin.template:
+    src: "{{ playbook_dir }}/templates/quadlets/metal3-bmo.container.j2"
+    dest: /etc/containers/systemd/metal3-bmo.container
+    mode: '0644'
+  register: r_bmo_quadlet
+
+- name: Reload systemd daemon
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Enable and start metal3-bmo service
+  become: true
+  ansible.builtin.systemd:
+    name: metal3-bmo.service
+    state: started
+    enabled: true
+
+- name: Restart metal3-bmo service if quadlet changed
+  become: true
+  ansible.builtin.systemd:
+    name: metal3-bmo.service
+    state: restarted
+  when: r_bmo_quadlet is changed
+
+- name: Wait for metal3-bmo service to be active
+  become: true
+  ansible.builtin.systemd:
+    name: metal3-bmo.service
+  register: r_bmo_svc
+  retries: 60
+  delay: 5
+  until: r_bmo_svc.status.ActiveState == 'active'
+  changed_when: false

playbooks/tasks/deploy_ironic.yaml

@@ -29,6 +29,7 @@
   no_log: true
 
 - name: Create podman secret for ironic htpasswd
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_secret:
     name: metal3-ironic-htpasswd
     data: "{{ metal3_ironic_htpasswd }}"
@@ -42,6 +43,7 @@
 
 - name: Create podman secret for CA bundle
   when: ssl_certs_configured | bool
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_secret:
     name: metal3-ca-bundle
     data: "{{ sslIngressCertificateFullChain + sslCACertificate | default('') }}"
@@ -50,156 +52,37 @@
   no_log: true
 
 - name: Create ironic-conf volume
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_volume:
     name: metal3-ironic-conf
     state: present
 
 - name: Create ironic-data volume
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_volume:
     name: metal3-ironic-data
     state: present
 
 - name: Create ironic-shared volume
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_volume:
     name: metal3-ironic-shared
     state: present
 
-- name: Create metal3-ironic pod
-  containers.podman.podman_pod:
-    name: metal3-ironic
-    network: host
-    share: net,ipc,uts
-    state: started
-
-- name: Wait for metal3-ironic pod infrastructure container to be ready
-  block:
-    - name: Get pod info to extract infra container ID
-      containers.podman.podman_pod_info:
-        name: metal3-ironic
-      register: r_pod_infra_check
-      retries: 30
-      delay: 2
-      until:
-        - r_pod_infra_check.pods | length > 0
-        - r_pod_infra_check.pods[0].InfraContainerID is defined
-        - r_pod_infra_check.pods[0].InfraContainerID | length > 0
-      changed_when: false
-
-    - name: Verify infra container is running
-      containers.podman.podman_container_info:
-        name: "{{ r_pod_infra_check.pods[0].InfraContainerID }}"
-      register: r_infra_container_check
-      retries: 10
-      delay: 1
-      until:
-        - r_infra_container_check.containers | length > 0
-        - r_infra_container_check.containers[0].State.Running | default(false)
-      changed_when: false
-
-- name: Wait for metal3-ironic pod to exist
-  containers.podman.podman_pod_info:
-    name: metal3-ironic
-  register: r_pod_infra_check
-  retries: 30
-  delay: 2
-  until:
-    - r_pod_infra_check.pods | length > 0
-  changed_when: false
-
-- name: Set ironic secrets list (with CA bundle)
-  when: ssl_certs_configured | bool
-  ansible.builtin.set_fact:
-    ironic_secrets:
-      - metal3-ca-bundle,type=mount,target=/certs/ca-bundle.crt,uid=1002,gid=1003,mode=0400
-      - metal3-ironic-htpasswd,type=env,target=IRONIC_HTPASSWD
+- name: Pre-pull ironic image
+  become: "{{ metal3_persistent | default(false) | bool }}"
+  containers.podman.podman_image:
+    name: "{{ metal3_ironic_image }}"
+    auth_file: "{{ pullSecretPath }}"
+    state: present
 
-- name: Set ironic secrets list (without CA bundle)
-  when: not (ssl_certs_configured | bool)
-  ansible.builtin.set_fact:
-    ironic_secrets:
-      - metal3-ironic-htpasswd,type=env,target=IRONIC_HTPASSWD
+- name: Deploy Ironic containers (ephemeral)
+  when: not (metal3_persistent | default(false) | bool)
+  ansible.builtin.include_tasks: deploy_ironic_containers.yaml
 
-- name: Set ironic environment variables (with CA bundle)
-  when: ssl_certs_configured | bool
-  ansible.builtin.set_fact:
-    ironic_env:
-      IRONIC_LISTEN_PORT: "6385"
-      HTTP_PORT: "6180"
-      LISTEN_ALL_INTERFACES: "true"
-      USE_IRONIC_INSPECTOR: "false"
-      PROVISIONING_IP: "{{ lzBmcIP }}"
-      IRONIC_USE_MARIADB: "false"
-      IRONIC_EXPOSE_JSON_RPC: "false"
-      OS_JSON_RPC__PORT: "6189"
-      WEBSERVER_CACERT_FILE: /certs/ca-bundle.crt
-
-- name: Set ironic environment variables (without CA bundle)
-  when: not (ssl_certs_configured | bool)
-  ansible.builtin.set_fact:
-    ironic_env:
-      IRONIC_LISTEN_PORT: "6385"
-      HTTP_PORT: "6180"
-      LISTEN_ALL_INTERFACES: "true"
-      USE_IRONIC_INSPECTOR: "false"
-      PROVISIONING_IP: "{{ lzBmcIP }}"
-      IRONIC_USE_MARIADB: "false"
-      IRONIC_EXPOSE_JSON_RPC: "false"
-      OS_JSON_RPC__PORT: "6189"
-
-- name: Run ironic container
-  containers.podman.podman_container:
-    name: ironic
-    pod: metal3-ironic
-    image: "{{ metal3_ironic_image }}"
-    authfile: "{{ pullSecretPath }}"
-    restart_policy: always
-    user: "1002:1003"
-    cap_drop:
-      - ALL
-    volume:
-      - metal3-ironic-conf:/conf
-      - metal3-ironic-data:/data
-      - metal3-ironic-shared:/shared
-    secrets: "{{ ironic_secrets }}"
-    env: "{{ ironic_env }}"
-    command:
-      - /bin/runironic
-    state: started
-
-- name: Run httpd container
-  containers.podman.podman_container:
-    name: httpd
-    pod: metal3-ironic
-    image: "{{ metal3_ironic_image }}"
-    authfile: "{{ pullSecretPath }}"
-    restart_policy: always
-    user: "1002:1003"
-    cap_drop:
-      - ALL
-    volume:
-      - metal3-ironic-shared:/shared
-    env:
-      IRONIC_LISTEN_PORT: "6385"
-      HTTP_PORT: "6180"
-      LISTEN_ALL_INTERFACES: "true"
-      USE_IRONIC_INSPECTOR: "false"
-      PROVISIONING_IP: "{{ lzBmcIP }}"
-    command:
-      - /bin/runhttpd
-    state: started
-
-- name: Wait for metal3-ironic pod and containers to be running
-  containers.podman.podman_pod_info:
-    name: metal3-ironic
-  register: r_pod_ready
-  retries: 60
-  delay: 5
-  until:
-    - r_pod_ready.pods | length > 0
-    - r_pod_ready.pods[0].Containers | selectattr('Name', 'equalto', 'ironic') | selectattr('State', 'equalto', 'running') | list | length == 1
-    - r_pod_ready.pods[0].Containers | selectattr('Name', 'equalto', 'httpd') | selectattr('State', 'equalto', 'running') | list | length == 1
-  changed_when: false
-  # Note: Checks that both ironic and httpd containers are running (infra container state is ignored)
+- name: Deploy Ironic via quadlet (persistent)
+  when: metal3_persistent | default(false) | bool
+  ansible.builtin.include_tasks: deploy_ironic_quadlet_units.yaml
 
 - name: Verify HTTP server accessibility
   ansible.builtin.uri: