Provide a way to configure ironic-python-agent root password

[zioc]

In order to troubleshoot introspection and provisioning, it can be very convenient to be able to log in ironic python agent.

There is already a debug.ironicRamdiskSshKey parameter in ironic, but it is not usable if IPA network configuration fails or if we don't manage to retrieve its IP.

In order to enable debugging from BMC console, it would be great to have the capability to provide a password for debugging purpose.

We used to have that feature in the metal3 chart from sylva, see https://gitlab.com/sylva-projects/sylva-elements/helm-charts/metal3/-/issues/8, so it'd be great to have it here too for feature parity.

[hardys]

Hi @zioc - thanks for raising this issue!

I agree this can be helpful, and we can consider adding it as an option if required, but first perhaps we can evaluate if the existing autologin may be sufficient;

In the ramdisk rootfs tarball there is a script which enables the following:

# autologin root on given console (default tty1) if suse.autologin or coreos.autologin is enabled
if [[ $PARAMS =~ (suse|coreos)\.autologin=?([^ ]*) ]]; then
  tty="${BASH_REMATCH[2]:-tty1}"
  echo "Enabling autologin on $tty..."
  systemctl stop getty@$tty
  systemctl start autologin@$tty
fi

So it is possible to edit the ironic-bmo configmap to contain configuration like IRONIC_KERNEL_PARAMS: console=ttyS0 tls.enabled=true suse.autologin=ttyS0

Unfortunately this is not currently configurable via helm values, but we could add a variable to append additional kernel params if this approach is sufficient?

Alternatively if you prefer we can look at enabling a root password instead, let me know what your preference is, thanks!

[zioc]

Thanks for the prompt reply @hardys

The autologin option seems indeed to be really convenient, all the more as it's not always obvious to provide a password that is properly escaped to cross the various layers....

A generic variable to append kernel params would indeed be quite convenient, as it would allow us to set autologin and/or root password depending on the needs/constraints.

[tmmorin]

I deployed metal3-suse via Sylva unit, with a postRender to change the configmap:

  metal3-suse:
    helmrelease_spec:
      timeout: 20m
      install:
        remediation:
          retries: -1
      values:
        global:
          enable_vmedia_tls: false
          #enable_tls: false
      postRenderers:
      - kustomize:
          patches:
          - target:
              kind: ConfigMap
              name: ironic-bmo
            patch: |
              - op: replace
                path: /data/IRONIC_KERNEL_PARAMS
                value: console=tty0 suse.autologin=tty0

using tty0 instead of ttyS0

The autologin feature seems to work, but not flawlessly though: I'm disconnected every 3s :grimacing:

[tmmorin]

For the cases where we have IPA issues we want to troubleshoot and we do have an IP successfully assign to the IPA, having an SSH key installed for the root user is the ideal: it allows SSH'ing into the server and have much better abilities to investigate, transfer files, etc.

(we have this possibility in the metal3 sylva chart)

[hardys]

For the cases where we have IPA issues we want to troubleshoot and we do have an IP successfully assign to the IPA, having an SSH key installed for the root user is the ideal: it allows SSH'ing into the server and have much better abilities to investigate, transfer files, etc.

(we have this possibility in the metal3 sylva chart)

@tmmorin this should already be possible via the IRONIC_RAMDISK_SSH_KEY configmap value - this is exposed by the ironic subchart debug.ironicRamdiskSshKey option

I notice the value used in the sylva chart is different, but the functionality should be the same, please let me know if that works Ok for you, thanks!

[hardys]

I noticed that there are some issues reliably configuring the rootpwd described in https://gitlab.com/sylva-projects/sylva-elements/helm-charts/metal3/-/issues/8 so we should perhaps persue fixing the autologin instead, I wonder if we need to disable (not just stop) the getty unit in the ramdisk script, some testing needed to confirm cc @Kristian-ZH

[hardys]

The autologin feature seems to work, but not flawlessly though: I'm disconnected every 3s 😬

@tmmorin FYI @Kristian-ZH found the problem and included a fix in the latest IPA ramdisk image:

https://build.opensuse.org/package/revisions/isv:SUSE:Edge:Metal3:Ironic:2023.2/openstack-ironic-image-120-rpm

This is planned for inclusion in the 0.6.1 chart release which is currently under review/test https://github.com/suse-edge/charts/pull/89