NO-ISSUE: Upstream sync

Dockerfile.fcos

@@ -27,7 +27,8 @@ RUN prepare-image.sh && \
 COPY scripts/* /bin/
 
 # IRONIC #
-COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
+# Updated this in https://github.com/metal3-io/ironic-image/pull/713/files
+COPY --from=builder /tmp/uefi_esp*.img /templates/
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
 COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 ironic-config/ipxe_config.template /tmp/

Dockerfile.ocp

@@ -30,7 +30,8 @@ RUN dnf config-manager --disable rhel-9-openstack-17-rpms  || true && \
     rm -f /tmp/prepare-ipxe.sh
 
 # IRONIC #
-COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
+# Updated this in https://github.com/metal3-io/ironic-image/pull/713/files
+COPY --from=builder /tmp/uefi_esp*.img /templates/
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
 

Dockerfile.scos

@@ -28,7 +28,8 @@ RUN prepare-image.sh && \
 COPY scripts/* /bin/
 
 # IRONIC #
-COPY --from=builder /tmp/esp.img /tmp/uefi_esp.img
+# Updated this in https://github.com/metal3-io/ironic-image/pull/713/files
+COPY --from=builder /tmp/uefi_esp*.img /templates/
 
 COPY ironic-config/ironic.conf.j2 /etc/ironic/
 

README.md

@@ -94,6 +94,36 @@ functionality:
 - `DEPLOY_KERNEL_URL` and `DEPLOY_RAMDISK_URL` provide the default IPA kernel
   and initramfs images. If they're not set, the images from IPA downloader are
   used (if present).
+- `IRONIC_JSON_RPC_PORT` - port used by the ironic json-rpc service (default to
+  6189).
+- `WEBSERVER_CACERT_FILE` - Specifies the CA or CA bundle that will be used
+  by Ironic to verify disk and IPA images.
+
+The following environment variables can be passed to customize the virtual
+media HTTP server configuration:
+
+- `IRONIC_VMEDIA_CURVES` - Setting this variable will set the allowed set of
+  groups allowed for TLS negotiation by order of preference, it needs to be set
+  in the openSSL format like e.g. `x448:x25519:secp256r1:secp384r1`. If let
+  unset it will use default from openSSL.
+- `IRONIC_VMEDIA_TLS_12_CIPHERS` - Setting this variable will set the allowed
+  cipher suites for TLS up to version 1.2 in order, it needs to be set in the
+  openSSL format e.g. `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305`.
+  If let unset it will use default from openSSL.
+- `IRONIC_VMEDIA_TLS_13_CIPHERS` - Setting this variable will set the allowed
+  cipher suites for TLS up to version 1.3 in order, it needs to be set in the
+  openSSL format e.g. `TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256`. If
+  let unset it will use default from openSSL.
+- `IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER` - Setting this variable to
+  `true` will make the server enforce its cipher list ordering for TLS version
+  up to 1.2, defaults to `false`
+
+The following mountpoints can be passed in to customize run-time
+functionality:
+
+- `/certs/ca/bmc` - The storage path of BMC CA certificates. If the path exists
+  and verify_ca field in driver_info is True or None, the certificates in this
+  path will be used.
 
 The following mountpoints can be passed in to customize run-time
 functionality:

ironic-config/apache2-ipxe.conf.j2

@@ -10,26 +10,17 @@ Listen {{ env.IPXE_TLS_PORT }}
     SSLCertificateFile {{ env.IPXE_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
 
+    DocumentRoot "/shared/html"
     <Directory "/shared/html">
-        Order Allow,Deny
-        Allow from all
+        Options Indexes FollowSymLinks
+        Require all granted
     </Directory>
-    <Directory "/shared/html/(redfish|ilo|images)/">
-        Order Deny,Allow
-        Deny from all
+    <Directory ~ "/shared/html/(redfish|ilo|images)/">
+        Require all denied
     </Directory>
-</VirtualHost>
 
-<Location ~ "^/grub.*/">
-    SSLRequireSSL
-</Location>
-<Location ~ "^/pxelinux.cfg/">
-    SSLRequireSSL
-</Location>
-<Location ~ "^/.*\.conf/">
-    SSLRequireSSL
-</Location>
-<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
-    SSLRequireSSL
-</Location>
+    <Location ~ "^/.*">
+        SSLRequireSSL
+    </Location>
 
+</VirtualHost>

ironic-config/apache2-vmedia.conf.j2

@@ -10,16 +10,29 @@ Listen {{ env.VMEDIA_TLS_PORT }}
     SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
 
+    {% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
+    SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
+    {% endif %}
+    {% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
+    SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
+    {% endif %}
+    {% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
+    SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
+    {% endif %}
+    {% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
+    SSLHonorCipherOrder on
+    {% endif %}
+
     <Directory ~ "/shared/html">
-         Order deny,allow
-         deny from all
+        Require all denied
     </Directory>
     <Directory ~ "/shared/html/(redfish|ilo)/">
-         Order allow,deny
-         allow from all
+        Require all granted
     </Directory>
+
+    <Location ~ "^/.*">
+        SSLRequireSSL
+    </Location>
+
 </VirtualHost>
 
-<Location ~ "^/(redfish|ilo)/">
-    SSLRequireSSL
-</Location>

ironic-config/dnsmasq.conf.j2

@@ -11,50 +11,40 @@ port={{ env.DNS_PORT }}
 {%- if env.DHCP_RANGE | length %}
 log-dhcp
 dhcp-range={{ env.DHCP_RANGE }}
-
-# It can be used when setting DNS or GW variables.
-{%- if env["GATEWAY_IP"] is undefined %}
-# Disable default router(s)
-dhcp-option=3
-{% else %}
-dhcp-option=option{% if ":" in env["GATEWAY_IP"] %}6{% endif %}:router,{{ env["GATEWAY_IP"] }}
 {% endif %}
+
 {%- if env["DNS_IP"] is undefined %}
 # Disable DNS over provisioning network
 dhcp-option=6
 {% else %}
 dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
 {% endif %}
 
+{# Network boot options for IPv4 and IPv6 #}
 {%- if env.IPV == "4" or env.IPV is undefined %}
 # IPv4 Configuration:
 dhcp-match=ipxe,175
-# Client is already running iPXE; move to next stage of chainloading
-{%- if env.IPXE_TLS_SETUP == "true"  %}
-# iPXE with (U)EFI
-dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
-# iPXE with BIOS
-dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
+
+{# Set the router or disable it. Setting router is IPv4 specific, in v6 there #}
+{# are router advertisements that do the same thing. #}
+{%- if env["GATEWAY_IP"] is undefined %}
+# Disable default router(s)
+dhcp-option=3
 {% else %}
-dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
+dhcp-option=option:router,{{ env["GATEWAY_IP"] }}
 {% endif %}
 
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
-dhcp-match=set:efi_arm,option:client-arch,11
-
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
-{%- if env.IPXE_TLS_SETUP == "true"  %}
-dhcp-boot=tag:efi,tag:ipxe,snponly.efi
+dhcp-match=set:efi,option:client-arch,11
+# Client is (i)PXE booting on EFI machine
+dhcp-boot=tag:efi,/snponly.efi,{{ env.IRONIC_IP }}
+# Client is running (i)PXE on BIOS machine
+dhcp-boot=tag:!efi,/undionly.kpxe,{{ env.IRONIC_IP }}
+{%- if env.IPXE_TLS_SETUP != "true" %}
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
 {% endif %}
-dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
-
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader for aarch64
-dhcp-boot=tag:efi_arm,tag:!ipxe,/arm64-efi/snponly.efi
-
-# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
-dhcp-boot=/undionly.kpxe,{{ env.IRONIC_IP }}
 {% endif %}
 
 {% if env.IPV == "6" %}
@@ -64,22 +54,12 @@ ra-param={{ env.PROVISIONING_INTERFACE }},0,0
 
 dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
 dhcp-userclass=set:ipxe6,iPXE
-dhcp-option=tag:pxe6,option6:bootfile-url,tftp://{{ env.IRONIC_URL_HOST }}/snponly.efi
-dhcp-option=tag:ipxe6,option6:bootfile-url,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
-
-# It can be used when setting DNS or GW variables.
-{%- if env["GATEWAY_IP"] is undefined %}
-# Disable default router(s)
-dhcp-option=3
-{% else %}
-dhcp-option=option{% if ":" in env["GATEWAY_IP"] %}6{% endif %}:router,{{ env["GATEWAY_IP"] }}
-{% endif %}
-{%- if env["DNS_IP"] is undefined %}
-# Disable DNS over provisioning network
-dhcp-option=6
-{% else %}
-dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
-{% endif %}
+# Client is (i)PXE booting on EFI machine
+dhcp-option=tag:efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/snponly.efi
+# Client is running (i)PXE on BIOS machine
+dhcp-option=tag:!efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/undionly.kpxe
+{%- if env.IPXE_TLS_SETUP != "true" %}
+dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
 {% endif %}
 {% endif %}
 

ironic-config/httpd-ironic-api.conf.j2

@@ -19,6 +19,20 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
  <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
 
+    DocumentRoot "/shared/html"
+
+    <Directory "/shared/html">
+        Require all denied
+    </Directory>
+
+    <Directory "/shared/html/images">
+        Require all granted
+    </Directory>
+
+    # Exclude /images from proxying
+    ProxyPass        "/images" !
+    ProxyPassReverse "/images" !
+
     {% if env.IRONIC_PRIVATE_PORT == "unix" %}
     ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
     ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -41,6 +55,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
 
+
     <Location />
          {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
             AuthType Basic
@@ -57,4 +72,9 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     <Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
         Require all granted
     </Location>
+
+    <Location ~ "^/images(/.*)?$">
+        Require all granted
+    </Location>
+
 </VirtualHost>

ironic-config/httpd-modules.conf

@@ -8,8 +8,6 @@ LoadModule mpm_event_module /etc/httpd/modules/mod_mpm_event.so
 LoadModule ssl_module /etc/httpd/modules/mod_ssl.so
 LoadModule env_module /etc/httpd/modules/mod_env.so
 LoadModule proxy_module /etc/httpd/modules/mod_proxy.so
-LoadModule proxy_ajp_module /etc/httpd/modules/mod_proxy_ajp.so
-LoadModule proxy_balancer_module /etc/httpd/modules/mod_proxy_balancer.so
 LoadModule proxy_http_module /etc/httpd/modules/mod_proxy_http.so
 LoadModule slotmem_shm_module /etc/httpd/modules/mod_slotmem_shm.so
 LoadModule headers_module /etc/httpd/modules/mod_headers.so

ironic-config/httpd.conf.j2

@@ -16,18 +16,43 @@ Group apache
 DocumentRoot "/shared/html"
 
 <Directory "/shared/html">
+{%- if env.IPXE_TLS_SETUP | lower == "true" %}
     Options Indexes FollowSymLinks
-    AllowOverride None
+    Require all denied
+{%- else %}
+    Options Indexes FollowSymLinks
+    Require all granted
+{%- endif %}
+</Directory>
+
+<Directory ~ "/shared/html/(redfish|ilo)/">
+{%- if env.IRONIC_VMEDIA_TLS_SETUP | lower == "true" %}
+    Require all denied
+{%- else %}
     Require all granted
+{%- endif %}
 </Directory>
 
-{%- if env.HTTPD_SERVE_NODE_IMAGES | lower == "true" %}
+{%- set serve_img = env.HTTPD_SERVE_NODE_IMAGES | lower %}
+{%- set image_tls = env.IRONIC_TLS_SETUP | lower %}
 <Directory "/shared/html/images">
     Options Indexes FollowSymLinks
     AllowOverride None
+{%- if serve_img == "true" and image_tls != "true" %}
     Require all granted
+{%- else %}
+    Require all denied
+{%- endif %}
+
+    <FilesMatch "^ironic.*">
+{%- if env.IPXE_TLS_SETUP | lower == "true" %}
+        Require all denied
+{%- else %}
+        Require all granted
+{%- endif %}
+    </FilesMatch>
 </Directory>
-{% endif %}
+
 
 <IfModule dir_module>
     DirectoryIndex index.html