Ironic Container Config for IPA Integration

Set up Ironic lookup endpoint (api/controller/v1/ramdisk.py) to send container configuration to IPA.

Partial-Bug: #2100556
Change-Id: I5fd593e58b0d33541a63ebb817ed8f3c0a62071c

ironic/api/controllers/v1/ramdisk.py

@@ -57,6 +57,15 @@ def config(token):
             'statsd_port': CONF.metrics_statsd.agent_statsd_port
         },
         'heartbeat_timeout': CONF.api.ramdisk_heartbeat_timeout,
+        'agent_containers': {
+            'allow_arbitrary_containers': CONF.agent_containers.allow_arbitrary_containers,  # noqa
+            'allowed_containers': CONF.agent_containers.allowed_containers,
+            'container_steps_file': CONF.agent_containers.container_steps_file,
+            'runner': CONF.agent_containers.runner,
+            'pull_options': CONF.agent_containers.pull_options,
+            'run_options': CONF.agent_containers.run_options,
+            'container_conf_file': CONF.agent_containers.container_conf_file,
+        },
         'agent_token': token,
         # Since this is for the Victoria release, we send this as an
         # explicit True statement for newer agents to lock the setting

ironic/conf/__init__.py

@@ -16,6 +16,7 @@
 from oslo_config import cfg
 
 from ironic.conf import agent
+from ironic.conf import agent_containers
 from ironic.conf import anaconda
 from ironic.conf import ansible
 from ironic.conf import api
@@ -57,6 +58,7 @@ from ironic.conf import vnc
 CONF = cfg.CONF
 
 agent.register_opts(CONF)
+agent_containers.register_opts(CONF)
 anaconda.register_opts(CONF)
 ansible.register_opts(CONF)
 api.register_opts(CONF)

ironic/conf/agent_containers.py

@@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_config import cfg
+
+from ironic.common.i18n import _
+
+
+opts = [
+    cfg.BoolOpt('allow_arbitrary_containers',
+                default=False,
+                help=_('Defines whether arbitrary containers are allowed '
+                       'for use in the IPA ramdisk. If set to False, only'
+                       'containers in the allowed_containers list can'
+                       ' be used.')),
+    cfg.ListOpt('allowed_containers',
+                default=[],
+                help=_('List of allowed container images. Only used when '
+                       'allow_arbitrary_containers is set to False.'
+                       'Containers not in this list will be rejected.')),
+    cfg.StrOpt('container_steps_file',
+               default='/etc/ironic-python-agent.d/mysteps.yaml',
+               help=_('Path in the ramdisk to the YAML file containing'
+                      'container steps to be executed.')),
+    cfg.StrOpt('runner',
+               default='podman',
+               help=_('Container runtime to use, such as'
+                      '"podman" and "docker".')),
+    cfg.StrOpt('pull_options',
+               default='--tls-verify=false',
+               help=_('Options to pass when pulling container images'
+                      '(e.g., "--tls-verify=false").')),
+    cfg.StrOpt('run_options',
+               default='--rm --network=host --tls-verify=false',
+               help=_('Options to pass when running containers'
+                      '(e.g., "--rm --network=host").')),
+    cfg.StrOpt('container_conf_file',
+               default='/etc/containers/containers.conf',
+               help=_('Path to the container configuration file'
+                      'in the IPA ramdisk.'))
+]
+
+
+def register_opts(conf):
+    conf.register_opts(opts, group='agent_containers')
+
+
+def list_opts():
+    return [opts]

ironic/tests/unit/api/controllers/v1/test_ramdisk.py

@@ -66,6 +66,19 @@ class TestLookup(test_api_base.BaseApiTest):
 
     def _check_config(self, data):
         expected_config = {
+            'agent_containers': {
+                'allow_arbitrary_containers': CONF.agent_containers
+                .allow_arbitrary_containers,
+                'allowed_containers': CONF.agent_containers
+                .allowed_containers,
+                'container_steps_file': CONF.agent_containers
+                .container_steps_file,
+                'runner': CONF.agent_containers.runner,
+                'pull_options': CONF.agent_containers.pull_options,
+                'run_options': CONF.agent_containers.run_options,
+                'container_conf_file': CONF.agent_containers
+                .container_conf_file,
+            },
             'metrics': {
                 'backend': 'statsd',
                 'prepend_host': CONF.metrics.agent_prepend_host,
@@ -442,6 +455,7 @@ class TestHeartbeat(test_api_base.BaseApiTest):
 class TestLookupScopedRBAC(TestLookup):
 
     """Test class to execute the Lookup tests with RBAC enforcement."""
+
     def setUp(self):
         super(TestLookupScopedRBAC, self).setUp()
 
@@ -456,6 +470,7 @@ class TestLookupScopedRBAC(TestLookup):
 class TestHeartbeatScopedRBAC(TestHeartbeat):
 
     """Test class to execute the Heartbeat tests with RBAC enforcement."""
+
     def setUp(self):
         super(TestHeartbeatScopedRBAC, self).setUp()
 

releasenotes/notes/agent-containers-config-4388e266d5f0192e.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add a new configuration group [agent_containers] that allows
+    users to dynamically configure container-based cleaning via
+    Ironic conductor.
+