Description of problem: After deploying, the ironic_pxe_http container is unhealthy. Looking into the issue, it looks like the problem stems from the healthcheck script not being able to get a directory listing on /var/lib/ironic/httpboot because the autoindex module is not loaded. I was able to work around this by: cat <<EOF>>/var/lib/config-data/puppet-generated/ironic/etc/httpd/conf.modules.d/autoindex.conf IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2 AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif /core AddIcon (SND,/icons/sound2.gif) .ogg AddIcon (VID,/icons/movie.gif) .ogm AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ AddIcon /icons/odf6odt.png .odt AddIcon /icons/odf6ods.png .ods AddIcon /icons/odf6odp.png .odp AddIcon /icons/odf6odg.png .odg AddIcon /icons/odf6odc.png .odc AddIcon /icons/odf6odf.png .odf AddIcon /icons/odf6odb.png .odb AddIcon /icons/odf6odi.png .odi AddIcon /icons/odf6odm.png .odm AddIcon /icons/odf6ott.png .ott AddIcon /icons/odf6ots.png .ots AddIcon /icons/odf6otp.png .otp AddIcon /icons/odf6otg.png .otg IndexIgnore .??* *~ *# HEADER.html README.html RCS CVS *,v *,t EOF cat <<EOF>>/var/lib/config-data/puppet-generated/ironic/etc/httpd/conf.modules.d/autoindex.load LoadModule autoindex_module modules/mod_autoindex.so EOF podman restart ironic_pxe_http The container remains healthy. Version-Release number of selected component (if applicable): 17.1 How reproducible: 100% Steps to Reproduce: 1. podman ps | grep ironic_pxe_http # Notice unhealthy container 2. Perform steps above 3. podman ps | grep ironic_pxe_http # Notice healthy container Actual results: Expected results: Additional info:
The change https://review.opendev.org/c/openstack/tripleo-heat-templates/+/855562 we recently backported to stable/wallaby disabled autoindex. We can probably enable it back again for ironic pxe though I don't think exposing that default index is a good idea, because we have seen several users who prefer limiting contents accessible in any apache server for "security hardening".
Rather than change the apache config, puppet-ironic could touch an /var/lib/ironic/httpboot/index.html file so the response for this request is a 200 instead of a 403. Setting NEEDINFO for Takashi's opinion on this approach
That would be a reasonable approach but I may have a few suggestions. 1. I think it's better that we create the file in puppet-tripleo instead if puppet-ironic, because the requirement of an accessible file is specific to TripleO (specifically speaking its healthcheck implementation). 2. We can create index.html or we may probably want to use a more specific path.
I've drafted the changes needed to implement the ideas above https://review.opendev.org/q/topic:pxe-healthcheck I attempted to verify it in CI but it seems upstream CI does not pull the change in puppet-ironic in testing, for some reason.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenStack Platform 17.1 (openstack-tripleo-common) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:0216
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days