Description of problem: Some servers cannot disable PXE boot on secondary NIC interfaces, so after discovery and deployment, the overcloud node ends up booting the discovery image. Version-Release number of selected component (if applicable): OSP 7.3 + OSP 8 How reproducible: 100% Steps to Reproduce: 1. Configure multiple NICs for PXE boot 2. Perform discovery 3. Perform deployment 4. Reboot overcloud servers Actual results: Nodes will go through PXE boot timeout on first NIC, then will boot via the second NIC the discovery image. Expected results: After deployment, the nodes should boot to disk. Additional info: Our customer are using blades from Lenovo and the "plain" ipmi_tool driver for Ironic. The blades have four NICs and somehow (at least this is what I've been told by the HW guys) it's not possible to only enable PXE on a single interface, it's all or nothing.
Hello! This request quite contradicts to how introspection actually works. E.g. how do you expect it to figure out that the introspection is done forever? The simplest thing to do is: sudo systemctl stop openstack-ironic-inspector-dnsmasq sudo systemctl disable openstack-ironic-inspector-dnsmasq If you want some TripleO command to do it (not sure if it's a great idea though), please redirect this bug to the generic project. P.S. When Nova is finally able to work with several MAC's per node, we'll just enroll all MAC's on the provisioning network, and avoid this problem.
(In reply to Dmitry Tantsur from comment #2) > Hello! > > This request quite contradicts to how introspection actually works. E.g. how > do you expect it to figure out that the introspection is done forever? > > The simplest thing to do is: > > sudo systemctl stop openstack-ironic-inspector-dnsmasq > sudo systemctl disable openstack-ironic-inspector-dnsmasq > > If you want some TripleO command to do it (not sure if it's a great idea > though), please redirect this bug to the generic project. > > P.S. > When Nova is finally able to work with several MAC's per node, we'll just > enroll all MAC's on the provisioning network, and avoid this problem. We do, in fact, know that introspection has been completed for a particular node. We already blacklist the MAC that was used to boot the system. I fail to see any downside to blacklisting the rest of the MACs on that same system. I don't really understand why we would need Nova to support multiple MACs per instance. We only need to add the other MAC addresses to the iptables blacklist for dnsmasq. If those two things are somehow tied together, I don't know how. Thanks for the workaround, but that would disable scaling. Then, in order to scale up computes, you would have to turn this service back on. If any nodes were to reboot during the time the service was enabled, they would not boot to disk.
> We do, in fact, know that introspection has been completed for a particular node. We already blacklist the MAC that was used to boot the system. I fail to see any downside to blacklisting the rest of the MACs on that same system. The only problem is that we don't really know them, cause we only keep one MAC in Ironic. That said, I got an idea which I'll try to bring upstream. Stay tuned.
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
I'm terribly sorry, I forgot to update the bug status. It did make it into OSP 8.0 and is available from puddles for some time.
Verified: Environment: openstack-ironic-inspector-2.2.5-2.el7ost.noarch Before introspecting the nodes: [root@undercloud ~]# iptables -L ironic-inspector Chain ironic-inspector (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable When the introspection just started: [root@undercloud ~]# iptables -L ironic-inspector Chain ironic-inspector (1 references) target prot opt source d estination DROP all -- anywhere anywhere MAC 00:0A:F7:7F:24:88 DROP all -- anywhere anywhere MAC 00:0A:F7:7F:24:96 DROP all -- anywhere anywhere MAC 00:0A:F7:79:93:CE DROP all -- anywhere anywhere MAC 00:0A:F7:79:93:1A DROP all -- anywhere anywhere MAC 00:0A:F7:79:93:2A DROP all -- anywhere anywhere MAC 00:0A:F7:7F:24:9E DROP all -- anywhere anywhere MAC 00:0A:F7:7F:24:5E ACCEPT all -- anywhere anywhere Lated during the introspection: [root@undercloud ~]# iptables -L ironic-inspector Chain ironic-inspector (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere After the introspection: [root@undercloud ~]# iptables -L ironic-inspector Chain ironic-inspector (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable So as we see above, after discovery everything is blacklisted.