Description of problem: The End goal is to be able to provision bare metal nodes over ipv6 with minimal Network infrastructure changes. The final image on the machine may require secure boot. Automatic configuration/selection of image should occur on Server Side (ie Single client/bare metal box uri to find web server that the automatically provision correct image for this client). URI should be TLS enabled, so we need to include certificate management stuff. Initial Production target is HPE DL360 gen 10 running in UEFI. We should use UEFI-http-boot over ipv6. We would like to expand the provisioning system to be able to support libvirt based provisioning. Initial Testing should use libvirt based VM for speed of testing before going to hardware based testing. Here is the basic test environment for initial validation. - Bare Metal Server running RHEL 8 with latest patches. - This server would simulate Local ipv6 Router and Local/Remote provisioning infrastructure. - Static ipv6 networking with bridge setup (to allow additional VM on same Network). - radvd configured to serve Router Advertisements if Network Router is not already doing so. - Hopefully RDNSS is configured in Router Advertisements, but solution should work even if RDNSS is not configured in Router Advertisements. - Web Server with iPXE menuing system configured - We may configure dhcpv6 to make it easier to follow recipes for ueif-http-boot testing. - dhcpv6 can be turned down to show that you can do provisioning without dhcpv6. - Custom ipxe compiled from Source - We would need binaries and configuration that is not included in packaged ipxe. - We would need UEFI ixpe binaries (also UEFI ipxe iso binary) - support for ipv6, remote syslog,debugging options, network debugging, certificate management commands, https support, custom embedded script support - Bare Metal Server running RHEL 8 with latest patches. - This server would simulate client baremetal machines. - Static ipv6 networking with bridge setup. - kvm/libvirt with EDK II/UEFI Support - VM's will be using Q35 with UEFI Firmware. Suggested test flow for QE: - Test booting/configuring VM via ipxe local boot, UEFI http boot. - After we have validated a working ipxe and http boot setup. - Add https, Trusted boot support - Validate DL360 http-boot work against Server System. - All test cases should be checked in VM only setup, so we can easily move debug if issues with DL360 gen 10 cases are Server or firmware problems. Upstream bugs related to this RFE: https://bugs.launchpad.net/tripleo/+bug/1830406 => Planed for OpenStack Train (OSP 16) https://bugs.launchpad.net/tripleo/+bug/1754681 => Fixed in OpenStack Rocky (OSP 14) Background Documentation: https://github.com/tianocore/tianocore.github.io/wiki/HTTP-Boot https://uefi.org/sites/default/files/resources/UEFI_Plugfest_Fall_2016_tianocore.pdf (page 17) https://software.intel.com/sites/default/files/managed/29/19/openSUSE_NetworkBootZeroTrust.pdf https://edk2-docs.gitbooks.io/getting-started-with-uefi-https-boot-on-edk-ii/content/start_guide/configure_server_and_build_client.html https://github.com/tianocore/tianocore.github.io/wiki/Configuring-PXE-Boot-Servers-for-UEFI https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00016376en_us (epecially section HTTP Boot section) - Note that doing this all via Red Fish Virtual media will be bonus section. Assume slaac on ilo and you have access to local switch to use anycast groups/mac address information on port (assume DL360 on known switch port) to figure out ipv6 address to access remote server via Red Fish.
David, all of these pieces are planned for OSP-16. IPv6 provisioning support which you have linked to this bug - https://bugzilla.redhat.com/show_bug.cgi?id=1459187 will be in TechPreview for OSP-16 as it will not have finished QE validation. Related to that RFE there is an ongoing issue with dnsmasq and DHCPv6 that affects some vendor's NICs, again which you have already linked to this bug - https://bugzilla.redhat.com/show_bug.cgi?id=1575026.
Bob, Thanks for the follow up. That's good news if we have all of these pieces planned for OSP16. Are we going to be able to use encrypted HTTP boot? Also, are can we do this without DHCPv6 using SLAAC/static addressing? Thank you very much, DVD
no progress in 2 years, customer case closed reduced capacity impacting backlog prioritization closing wontfix please reopen should this require attention