diff --git a/pkg/ironic/initcontainer.go b/pkg/ironic/initcontainer.go index 3e6be6a1..88c6ab06 100644 --- a/pkg/ironic/initcontainer.go +++ b/pkg/ironic/initcontainer.go @@ -116,26 +116,6 @@ func InitContainer(init APIDetails) []corev1.Container { var containers []corev1.Container - if init.PxeInit { - pxeInit := corev1.Container{ - Name: "pxe-init", - Image: init.PxeContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - }, - Command: []string{ - "/bin/bash", - }, - Args: []string{ - "-c", - PxeInitContainerCommand, - }, - Env: envs, - VolumeMounts: init.VolumeMounts, - } - containers = append(containers, pxeInit) - } - initContainer := corev1.Container{ Name: "init", Image: init.ContainerImage, @@ -167,5 +147,26 @@ func InitContainer(init APIDetails) []corev1.Container { containers = append(containers, ipaInit) } + if init.PxeInit { + pxeInit := corev1.Container{ + Name: "pxe-init", + Image: init.PxeContainerImage, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + Privileged: &init.Privileged, + }, + Command: []string{ + "/bin/bash", + }, + Args: []string{ + "-c", + PxeInitContainerCommand, + }, + Env: envs, + VolumeMounts: init.VolumeMounts, + } + containers = append(containers, pxeInit) + } + return containers } diff --git a/pkg/ironicconductor/statefulset.go b/pkg/ironicconductor/statefulset.go index 537feca2..03b2a67d 100644 --- a/pkg/ironicconductor/statefulset.go +++ b/pkg/ironicconductor/statefulset.go @@ -340,6 +340,7 @@ func StatefulSet( VolumeMounts: initVolumeMounts, PxeInit: true, ConductorInit: true, + Privileged: true, DeployHTTPURL: deployHTTPURL, IngressDomain: ingressDomain, ProvisionNetwork: instance.Spec.ProvisionNetwork, diff --git a/pkg/ironicinspector/initcontainer.go b/pkg/ironicinspector/initcontainer.go index 6eaa5f0c..31537ada 100644 --- a/pkg/ironicinspector/initcontainer.go +++ b/pkg/ironicinspector/initcontainer.go @@ -47,7 +47,6 @@ const ( // PxeInitContainerCommand - PxeInitContainerCommand = "/usr/local/bin/container-scripts/inspector-pxe-init.sh" - ) // InitContainer - init container for Ironic Inspector pods @@ -129,12 +128,31 @@ func InitContainer(init APIDetails) []corev1.Container { } containers = append(containers, inspectorInit) + if init.IpaInit { + ipaInit := corev1.Container{ + Name: "ironic-python-agent-init", + Image: init.IronicPythonAgentImage, + SecurityContext: &corev1.SecurityContext{ + Privileged: &init.Privileged, + }, + Env: imageCopyEnvs, + VolumeMounts: init.VolumeMounts, + } + containers = append(containers, ipaInit) + } + if init.PxeInit { pxeInit := corev1.Container{ Name: "inspector-pxe-init", Image: init.PxeContainerImage, SecurityContext: &corev1.SecurityContext{ RunAsUser: &runAsUser, + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{ + "SYS_CHROOT", + "SETFCAP", + }, + }, }, Command: []string{ "/bin/bash", @@ -146,18 +164,5 @@ func InitContainer(init APIDetails) []corev1.Container { containers = append(containers, pxeInit) } - if init.IpaInit { - ipaInit := corev1.Container{ - Name: "ironic-python-agent-init", - Image: init.IronicPythonAgentImage, - SecurityContext: &corev1.SecurityContext{ - Privileged: &init.Privileged, - }, - Env: imageCopyEnvs, - VolumeMounts: init.VolumeMounts, - } - containers = append(containers, ipaInit) - } - return containers } diff --git a/pkg/ironicinspector/statefulset.go b/pkg/ironicinspector/statefulset.go index 5be70581..f9137ea2 100644 --- a/pkg/ironicinspector/statefulset.go +++ b/pkg/ironicinspector/statefulset.go @@ -351,6 +351,7 @@ func StatefulSet( VolumeMounts: initVolumeMounts, PxeInit: true, IpaInit: true, + Privileged: true, InspectorHTTPURL: inspectorHTTPURL, IngressDomain: ingressDomain, InspectionNetwork: instance.Spec.InspectionNetwork, diff --git a/templates/common/bin/pxe-init.sh b/templates/common/bin/pxe-init.sh index eb9e3e9d..458d527d 100755 --- a/templates/common/bin/pxe-init.sh +++ b/templates/common/bin/pxe-init.sh @@ -17,8 +17,12 @@ set -ex # Create TFTP, HTTP serving directories -mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg -mkdir -p /var/lib/ironic/httpboot +if [ ! -d "/var/lib/ironic/tftpboot/pxelinux.cfg" ]; then + mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg +fi +if [ ! -d "/var/lib/ironic/httpboot" ]; then + mkdir -p /var/lib/ironic/httpboot +fi # Check for expected EFI directories if [ -d "/boot/efi/EFI/centos" ]; then efi_dir=centos @@ -39,3 +43,35 @@ for dir in httpboot tftpboot; do # Ensure all files are readable chmod -R +r /var/lib/ironic/$dir done + +# Patch ironic-python-agent with custom CA certificates +if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/ironic/httpboot/ironic-python-agent.initramfs" ]; then + # Extract the initramfs + cd / + mkdir initramfs + pushd initramfs + zcat /var/lib/ironic/httpboot/ironic-python-agent.initramfs | cpio -idmV + popd + + # Copy the CA certificates + cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/ + echo update-ca-trust | unshare -r chroot ./initramfs + + # Repack the initramfs + pushd initramfs + find . | cpio -o -c --quiet -R root:root | gzip -1 > /var/lib/ironic/httpboot/ironic-python-agent.initramfs +fi + +# Build an ESP image +pushd /var/lib/ironic/httpboot +if [ ! -a "esp.img" ]; then + dd if=/dev/zero of=esp.img bs=4096 count=1024 + mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img + + mmd -i esp.img EFI + mmd -i esp.img EFI/BOOT + mcopy -i esp.img -v bootx64.efi ::EFI/BOOT + mcopy -i esp.img -v grubx64.efi ::EFI/BOOT + mdir -i esp.img ::EFI/BOOT; +fi +popd diff --git a/templates/ironicconductor/bin/init.sh b/templates/ironicconductor/bin/init.sh index 8f48f0a3..d87430e8 100755 --- a/templates/ironicconductor/bin/init.sh +++ b/templates/ironicconductor/bin/init.sh @@ -54,16 +54,3 @@ fi if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then mkdir /var/lib/ironic/ramdisk-logs fi -# Build an ESP image -pushd /var/lib/ironic/httpboot -if [ ! -a "esp.img" ]; then - dd if=/dev/zero of=esp.img bs=4096 count=1024 - mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img - - mmd -i esp.img EFI - mmd -i esp.img EFI/BOOT - mcopy -i esp.img -v bootx64.efi ::EFI/BOOT - mcopy -i esp.img -v grubx64.efi ::EFI/BOOT - mdir -i esp.img ::EFI/BOOT; -fi -popd diff --git a/templates/ironicinspector/bin/init.sh b/templates/ironicinspector/bin/init.sh index 97dba982..67510999 100755 --- a/templates/ironicinspector/bin/init.sh +++ b/templates/ironicinspector/bin/init.sh @@ -20,6 +20,9 @@ export TRANSPORTURL=${TransportURL:-""} export CUSTOMCONF=${CustomConf:-""} +if [ ! -d "/var/lib/ironic/httpboot" ]; then + mkdir /var/lib/ironic/httpboot +fi if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then mkdir /var/lib/ironic/ramdisk-logs fi