Closed defo89 closed 2 months ago
Hi @defo89. Thanks for your PR.
I'm waiting for a metal3-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test
on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test
label.
I understand the commands that are listed here.
/ok-to-test
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main
/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main
/approve /test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: dtantsur
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/retest
/retest CI should be better now.
/hold, for https you need to also supply the certificates unless the specific url is compatible with ipxe's default credential chain (Mozzilla) also you have to configure the dnsmasq server of ironic with the same certs, we have already tooling to build https enabled ipxe on the fly or to use pre-built ipxe firmware https://github.com/metal3-io/utility-images.
What you are editing @defo89 in this PR is the default / statically compiled ipxe firmware (that is why it is compiled at container build time) that is suitable for those who have no special requirements, for those who need more advanced ipxe firmware I would recommend to deploy the ipxebuilder as an init container of the Ironic pod or just patch the Dockerfile downstream but IMO we should in no scenario edit the upstream docker file to get this functionality.
/hold
@defo89: The following test failed, say /retest
to rerun all failed tests or /retest-required
to rerun all mandatory failed tests:
Test name | Commit | Details | Required | Rerun command |
---|---|---|---|---|
metal3-centos-e2e-integration-test-main | a6d12bb3b165dd951f3ecf2aa63e4baf2cf12b2b | link | true | /test metal3-centos-e2e-integration-test-main |
I would recommend to deploy the ipxebuilder as an init container of the Ironic pod or just patch the Dockerfile downstream We use this in production - problem with this approach would be delayed pod readiness on reschedule/failure of the node previously running this pod.
@Rozzii Would you consider an option to override the IPXE image location per env var like its done with IPA_BASEURI
env? E.g. I could provide them via volume. My issue atm is that ironic-image
provides all means to leverage TLS (I could do it for ironic and httpd) and only this bit is missing.
I would recommend to deploy the ipxebuilder as an init container of the Ironic pod or just patch the Dockerfile downstream We use this in production - problem with this approach would be delayed pod readiness on reschedule/failure of the node previously running this pod.
@Rozzii Would you consider an option to override the IPXE image location per env var like its done with
IPA_BASEURI
env? E.g. I could provide them via volume. My issue atm is thatironic-image
provides all means to leverage TLS (I could do it for ironic and httpd) and only this bit is missing.
I plan to document this topic a bit more (or a lot more) in the future but I think we have such variables:
IPXE_CUSTOM_FIRMWARE_DIR
can be used to specify where should the dnsmasq container find the custom firmware files
IPXE_SSL_PROTOCOL
is should set the SSL/TLS versions that
IPXE_CERT_FILE
the should be the same as the one embedded in the firmware
IPXE_KEY_FILE
same as above
IPXE_TLS_PORT
by default 8084 this is the port that the pxe firmware will use to call "home" and download the pxe files and the ramdisk
You are AFAIK the first user who would like to run things with custom PXE firmware so please keep me in the loop if you run into some issues.
Would it be okay to close this ticket @defo89 ?
@Rozzii sure, we can close it. Thanks!
What this PR does / why we need it: I am trying to use TLS in every part of the deployment chain and it seems that by default HTTPS is disabled in iPXE image.
As per https://ipxe.org/buildcfg/download_proto_https this commit would enable support (tested this in our environment).