Merge "Remove the ability to install and use ironic-inspector"

Author: Zuul

doc/source/user/architecture.rst

@@ -13,14 +13,6 @@ ironic_
     Ironic is the main service that provides bare metal capabilities.
     Its `bare metal API`_ is served on TCP port 6385.
 
-ironic-inspector_
-    Inspector is an auxiliary service that provides `in-band inspection`_.
-    Its `introspection API`_ is served on TCP port 5050.
-
-    Inspector is deprecated and can be enabled by setting
-    ``enable_inspector=true``. Otherwise, Ironic's `native in-band inspection`_
-    is used.
-
 mariadb_
     MariaDB is used as a database to persistently store information.
 
@@ -35,9 +27,8 @@ nginx_
     Uses HTTP port 8080 by default (can be changed via the ``file_url_port``
     parameter).
 
-    When TLS is enabled, Nginx serves as a TLS proxy for Ironic and Inspector.
-    It listens on ports 6385 and 5050 and passes requests to the services
-    via unix sockets.
+    When TLS is enabled, Nginx serves as a TLS proxy for Ironic. It listens on
+    port 6385 and passes requests to the service via a unix socket.
 
 dnsmasq_
     Dnsmasq is used as a DHCP and TFTP server (but not for DNS by default)
@@ -51,7 +42,7 @@ The following components can be enabled if needed:
 
 keystone_
     Keystone is an OpenStack Identity service. It can be used to provide
-    sophisticated authentication to Ironic and Inspector instead of HTTP basic
+    sophisticated authentication to Ironic instead of HTTP basic
     authentication. Its `identity API`_ is served using uWSGI and Nginx on the
     port 5000, the systemd service is called ``uwsgi@keystone-public``.
 
@@ -92,7 +83,7 @@ Parameters
         192.168.122.1
 
     This IP address is used for all provisioning traffic: TFTP, iPXE,
-    call-backs to Ironic and Inspector. It is also used for the traffic between
+    and call-backs to Ironic. It is also used for the traffic between
     the services.
 
 ``public_ip``
@@ -129,11 +120,11 @@ Log locations
 ~~~~~~~~~~~~~
 
 journald
-    is used for logging from most services. For example, to get Inspector logs:
+    is used for logging from most services. For example, to get Ironic logs:
 
     .. code-block:: console
 
-        $ sudo journalctl -u ironic-inspector
+        $ sudo journalctl -u ironic
 
 ``/var/log/ironic/deploy``
     contains tarballs with ramdisk logs from deployment or cleaning. The file
@@ -148,10 +139,6 @@ journald
         $ less journal  # for ramdisks that use systemd, e.g. DIB-built
         $ less var/log/ironic-python-agent.log # for tinyIPA and similar
 
-``/var/log/ironic-inspector/ramdisk``
-    contains tarballs with ramdisk logs from inspection. They are very similar
-    to ramdisk logs from deployment and cleaning.
-
 ``/var/log/nginx/``
     contains logs for serving files (iPXE scripts, images, virtual media ISOs).
 
@@ -190,15 +177,11 @@ Runtime locations
     when cleaning or deploying.
 
 ``/run/ironic``
-    When TLS is enabled, this directory contains unix sockets of Ironic and
-    Inspector, which Nginx uses to pass requests.
+    When TLS is enabled, this directory contains the unix socket of Ironic,
+    that Nginx uses to pass requests.
 
 .. _ironic: https://docs.openstack.org/ironic/latest/
 .. _bare metal API: https://docs.openstack.org/api-ref/baremetal/
-.. _ironic-inspector: https://docs.openstack.org/ironic-inspector/latest/
-.. _in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection/inspector.html
-.. _introspection API: https://docs.openstack.org/api-ref/baremetal-introspection/
-.. _native in-band inspection: https://docs.openstack.org/ironic/latest/admin/inspection/index.html
 .. _mariadb: https://mariadb.org/
 .. _nginx: https://nginx.org/
 .. _dnsmasq: https://dnsmasq.org/

doc/source/user/howto.rst

@@ -22,11 +22,6 @@ example:
     export OS_CLOUD=bifrost
     baremetal node list
 
-.. note::
-   Previously, a separate cloud ``bifrost-inspector`` was provided for
-   introspection commands. It is now deprecated, the main ``bifrost`` cloud
-   should always be used.
-
 Environment variables
 ---------------------
 

playbooks/ci/run.yaml

@@ -23,4 +23,3 @@
         ENABLE_TLS: "{{ enable_tls | default(false) | bool | lower }}"
         ENABLE_PROMETHEUS_EXPORTER: "{{ enable_prometheus_exporter | default(false) | bool | lower }}"
         USE_VMEDIA: "{{ use_vmedia | default(false) | bool | lower }}"
-        USE_INSPECTOR: "{{ use_inspector | default(false) | bool | lower }}"

playbooks/roles/bifrost-ironic-install/README.md

@@ -25,7 +25,7 @@ bifrost-ironic-install role.
 testing: false
 
 Enables no-authentication mode where no authentication is used for accessing
-API services. The default setting of ``true`` makes ironic and ironic-inspector
+API services. The default setting of ``true`` makes ironic
 either use keystone (if ``enable_keystone`` is true) or HTTP basic auth
 (use ``admin_username``/``admin_password`` and
 ``default_username``/``default_password`` to configure).
@@ -196,9 +196,6 @@ remote_syslog_port: String value, default is 514. If set, custom port is
 ironic_log_dir: String value, default undefined. If set, it specifies a
                 a non-default log directory for ironic.
 
-inspector_log_dir: String value, default undefined. If set, it specifies a
-                   non-default log directory for inspector.
-
 nginx_log_dir: String value, default /var/log/nginx. It specifies a log
                directory for nginx.
 
@@ -207,9 +204,9 @@ fast_track: Boolean setting to enable ironic to leverage an already running
             immediately as opposed to waiting for a complete system reboot.
 
 power_off_after_inspection: Boolean setting governing the behavior
-                            of ironic-inspector's processing.
+                            of inspection.
                             The default is to not power-off machines
-                            effectively enabling the Inspection to
+                            effectively enabling moving from Inspection to
                             Deployment without the need to reboot
                             the physical machine.
 
@@ -222,22 +219,7 @@ enable_credential_less_deploy: Boolean setting that enables the experimental
 
 ### Hardware Inspection Support
 
-Bifrost also supports the installation of ironic-inspector in standalone
-mode, which enables the user to allow for identification of the system
-properties via a workflow.
-
-enable_inspector: Boolean value, default true.  Set this value to false to
-                  prevent installing ironic-inspector.
-
-inspector_debug: Boolean value, default true. Enables debug level logging
-                 for inspector. Note that this default may change in
-                 future.
-
-inspector_manage_firewall: Boolean value, default false. Controls whether
-                           ironic-inspector should manage the firewall
-                           rules of the host. Bifrost's installation playbook
-                           adds the rule to permit the callback traffic,
-                           so you shouldn't need to enable this.
+Bifrost also supports identification of the system properties via a workflow.
 
 inspector_port_addition: Defines which MAC addresses to add as ports during
                          introspection. Possible values are `all`, `active`,
@@ -247,10 +229,6 @@ inspector_keep_ports: Defines which ports on a node to keep after
                       introspection. Possible values are `all`, `present`,
                       and `added`. The default value is `present`.
 
-inspector_store_ramdisk_logs: Boolean value, default true. Controls if the
-                              inspector agent will retain logs from the
-                              ramdisk that called the inspector service.
-
 enable_inspector_discovery: Boolean value, default false. This instructs
                             inspector to add new nodes that are discovered
                             via PXE booting on the same network to ironic.
@@ -266,11 +244,6 @@ inspector_extra_kernel_options: String value, default undefined. Extra
                                 kernel parameters for the inspector default
                                 PXE configuration.
 
-inspector_processing_hooks: String value containing a comma-separated list,
-                            default undefined. Use this to specify a
-                            non-default list of comma-separated processing
-                            hooks for inspector.
-
 ### Virtual Environment Install
 
 Bifrost installs ironic and other services into a python virtual environment
@@ -315,10 +288,6 @@ Please note, if the hostname is set to something besides``localhost``,
 then the playbook will not attempt to create databases, database users,
 and grant privileges.
 
-Similarly, if hardware introspection support is installed, the
-nearly identical data structure for inspector can be found in the
-same file named ``ironic_inspector``.
-
 Notes
 -----
 

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -18,8 +18,6 @@ file_url_port: "8080"
 file_url_port_tls: "8083"
 ironicclient_source_install: false
 openstacksdk_source_install: false
-ironicinspector_source_install: true
-ironicinspectorclient_source_install: false
 sushy_source_install: false
 staging_drivers_source_install: true
 prometheus_exporter_source_install: true
@@ -205,8 +203,6 @@ ironicclient_git_url: https://opendev.org/openstack/python-ironicclient
 openstacksdk_git_url: https://opendev.org/openstack/openstacksdk
 ironic_git_url: https://opendev.org/openstack/ironic
 staging_drivers_git_url: https://opendev.org/x/ironic-staging-drivers
-ironicinspector_git_url: https://opendev.org/openstack/ironic-inspector
-ironicinspectorclient_git_url: https://opendev.org/openstack/python-ironic-inspector-client
 ipa_git_url: https://opendev.org/openstack/ironic-python-agent
 ipa_builder_git_url: https://opendev.org/openstack/ironic-python-agent-builder
 prometheus_exporter_git_url: https://opendev.org/openstack/ironic-prometheus-exporter
@@ -218,8 +214,6 @@ openstacksdk_git_folder: /opt/stack/openstacksdk
 dib_git_folder: /opt/stack/diskimage-builder
 reqs_git_folder: /opt/stack/requirements
 staging_drivers_git_folder: /opt/stack/ironic-staging-drivers
-ironicinspector_git_folder: /opt/stack/ironic-inspector
-ironicinspectorclient_git_folder: /opt/stack/python-ironic-inspector-client
 sushy_git_folder: /opt/stack/sushy
 ipa_git_folder: /opt/stack/ironic-python-agent
 ipa_builder_git_folder: /opt/stack/ironic-python-agent-builder
@@ -307,19 +301,9 @@ inventory_dns: False
 # Several NTP servers can be specified, separated by commas.
 # dnsmasq_ntp_servers:
 
-# Settings to enable the use of inspector
-enable_inspector: false
-inspector_debug: true
-inspector_manage_firewall: false
-
 # Set ironic_log_dir to use a non-default log directory for ironic.
 #ironic_log_dir: /var/log/ironic
 
-# Set inspector_log_dir to use a non-default log directory for inspector.
-#inspector_log_dir:
-inspector_ramdisk_logs_local_path: /var/log/ironic-inspector/ramdisk
-
-inspector_store_ramdisk_logs: true
 # Note: inspector_port_addition has three valid values: all, active, pxe
 inspector_port_addition: "pxe"
 
@@ -330,10 +314,6 @@ inspector_keep_ports: "present"
 # PXE configuration.
 inspector_extra_kernel_options: "ipa-inspection-collectors=default,logs"
 
-# Set inspector_processing_hooks to specify a non-default comma-separated
-# list of processing hooks for inspector.
-#inspector_processing_hooks:
-
 enable_inspector_discovery: false
 
 inspector_default_node_driver: "{{ 'manual-management' if enable_credential_less_deploy | bool else 'ipmi' }}"
@@ -369,7 +349,6 @@ enable_keystone: false
 # Service URLs used for communication with them.
 api_protocol: "{{ 'https' if enable_tls | bool else 'http' }}"
 ironic_api_url: "{{ api_protocol }}://{{ internal_ip }}:6385"
-ironic_inspector_api_url: "{{ api_protocol }}://{{ internal_ip }}:5050"
 keystone_api_url: "{{ api_protocol }}://{{ internal_ip }}:5000/v3"
 
 # Directory (on the controller) to keep the passwords
@@ -404,21 +383,6 @@ ironic:
     password: "{{ ironic_db_password }}"
     host: "localhost"
 
-ironic_inspector:
-  service_catalog:
-    username: "ironic_inspector"
-    password: "{{ service_password }}"
-    auth_url: "{{ keystone_api_url }}"
-    project_name: "service"
-  keystone:
-    default_username: "{{ default_username }}"
-    default_password: "{{ default_password }}"
-  database:
-    name: "inspector"
-    username: "inspector"
-    password: "{{ ironic_db_password }}"
-    host: "localhost"
-
 # NOTE(dtantsur): keep in sync with bifrost-keystone-install
 keystone:
   debug: true
@@ -451,7 +415,6 @@ vmedia_enable_tls: "{{ enable_tls }}"
 tls_root: /etc/bifrost
 tls_certificate_path: "{{ tls_root }}/bifrost.crt"
 ironic_private_key_path: /etc/ironic/ironic.pem
-ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem
 httpboot_private_key_path: /etc/nginx/httpboot.pem
 # If true, the conductor's JSON RPC will be available globally (and with TLS)
 expose_json_rpc: false

playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml

@@ -245,10 +245,6 @@
     state: directory
     mode: "0755"
 
-- name: "Install ironic-inspector to permit use of inspection interface"
-  include_tasks: inspector_bootstrap.yml
-  when: enable_inspector | bool
-
 - name: "Get ironic install location"
   shell: echo $(dirname $(which ironic))
   register: ironic_install_prefix
@@ -478,9 +474,9 @@
     - ansible_os_family == 'RedHat'
     - ansible_selinux.status == 'enabled'
   block:
-    - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
+    - name: "Allow nginx, ironic and IPA ports on SELinux"
       seport:
-        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
+        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,9999"
         proto: tcp
         setype: http_port_t
         state: present

playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml

@@ -174,17 +174,12 @@
 
 # TODO(TheJulia): The pxelinux folder is statically coded in ironic.
 # For now, we need to use it, but we can patch that.
-- name: "Inspector - Place default tftp boot file in {{ http_boot_folder }}/pxelinux.cfg/"
+- name: "Place default tftp boot file in {{ http_boot_folder }}/pxelinux.cfg/"
   template:
-    src: inspector-default-boot-ipxe.j2
+    src: default-boot-ipxe.j2
     dest: "{{ http_boot_folder }}/pxelinux.cfg/default"
     owner: ironic
     group: ironic
     mode: "0644"
   vars:
-    inspection_callback_url: >-
-      {%- if enable_inspector | bool -%}
-      {{ api_protocol }}://{{ internal_ip }}:5050/v1/continue
-      {%- else -%}
-      {{ api_protocol }}://{{ internal_ip }}:6385/v1/continue_inspection
-      {%- endif -%}
+    inspection_callback_url: "{{ api_protocol }}://{{ internal_ip }}:6385/v1/continue_inspection"