[multiple] BM SNO follow-up fixes, reuse support

  - Skip controller reboot and wait_for_connection in deploy-edpm-reuse
    when cifmw_bm_sno is true (no virtual controller assumption).
  - Skip syncing local repos to the Ansible controller in push_code when
    cifmw_bm_sno is true.
  - In reuse_main, skip CRC/OCP layout detection for BM SNO; set
    _use_crc/_use_ocp false and _has_openshift true.
  - In deploy_architecture, fall back to play host facts when inventory
    has no controller-* host; derive controller address from default IPv4
    or inventory_hostname when ansible_host is unset.
  - Run OCP cluster-size reduction in architecture only when the ocps
    group exists.
  - Add cifmw_bm_agent_disabled_ifaces and agent-config networkConfig so
    extra NICs can stay link-up without IPv4/IPv6 (overlap validation);
    install nmstate when that list is non-empty.
  - Document bm_sno Zuul autohold workflow, reproducer scenarios vs
    baremetal, and spellcheck terms (NICs, autoheld, tty).
  - Update BM SNO logic to match the existing reuse_ocp
    flow where OCP (and SNO) deployment becomes skipped

Generated-by: claude-4.6-opus-high
Signed-off-by: Bohdan Dobrelia <bdobreli@redhat.com>

Author: bogdando

deploy-edpm-reuse.yaml

@@ -7,11 +7,13 @@
   gather_facts: false
   tasks:
     - name: Reboot controller-0
+      when: not (cifmw_bm_sno | default(false) | bool)
       ansible.builtin.reboot:
         reboot_timeout: 600
       become: true
 
     - name: Wait for controller-0 to come back online
+      when: not (cifmw_bm_sno | default(false) | bool)
       ansible.builtin.wait_for_connection:
         timeout: 600
         delay: 10

docs/dictionary/en-custom.txt

@@ -12,6 +12,7 @@ Idempotency
 LDAP
 LLM
 MachineConfig
+NICs
 NodeHealthCheck
 RHCOS
 SNO
@@ -41,6 +42,7 @@ arxcruz
 auth
 authfile
 autoconfiguration
+autoheld
 autohold
 autoholds
 autologin
@@ -600,6 +602,7 @@ topolvm
 traceback
 tripleo
 ttl
+tty
 txt
 uefi
 uefisecureboot

roles/bm_sno/README.md

@@ -61,6 +61,7 @@ provision IP via `/etc/hosts` entries managed by the role.
 | `cifmw_bm_agent_vmedia_uefi_path` | str | auto-discovered | UEFI device path for the Virtual Optical Drive; auto-discovered from UEFI boot options if omitted |
 | `cifmw_bm_agent_core_password` | str | — | Set a `core` user password post-install via MachineConfig |
 | `cifmw_bm_agent_live_debug` | bool | `false` | Patch the agent ISO with password, autologin, and systemd debug shell on `tty6` for discovery-phase console access (requires `cifmw_bm_agent_core_password`) |
+| `cifmw_bm_agent_disabled_ifaces` | list | `[]` | Extra NIC names to disable IPv4/IPv6 on during agent-based install. Prevents overlapping-subnet validation failures when multiple NICs share a native VLAN (e.g. `[eno2]`). The interfaces stay link-up but get no IP address; post-install NNCP configures them. |
 
 ## Secrets management
 
@@ -95,7 +96,7 @@ The agent-based deployment is composed of reusable task files under
 | `bm_ensure_usb_boot.yml` | Wraps `bm_check_usb_boot.yml`; if disabled and `cifmw_bm_agent_enable_usb_boot` is true, sets the BIOS attribute, creates a config job, and power-cycles to apply |
 | `bm_eject_vmedia.yml` | Ejects VirtualMedia from the iDRAC Virtual Optical Drive |
 | `bm_discover_vmedia_target.yml` | Discovers or validates the UEFI device path for VirtualMedia, clears pending iDRAC config jobs, and sets a one-time boot override |
-| `bm_patch_agent_iso.yml` | Patches the agent ISO ignition with core password, autologin, and debug shell (used when `cifmw_bm_agent_live_debug` is true) |
+| `bm_patch_agent_iso.yml` | Patches the agent ISO ignition with core password, autologin, and debug shell on tty6 (used when `cifmw_bm_agent_live_debug` is true) |
 | `bm_core_password_machineconfig.yml` | Generates a MachineConfig manifest to set the core user password hash post-install |
 
 ## openshift-install acquisition
@@ -178,6 +179,94 @@ cifmw_bm_nodes:
     root_device: /dev/sda
 ```
 
+## Local debugging on an autoheld Zuul node
+
+When a Zuul job is held (`autohold`), you can SSH into the Zuul controller
+and iterate on the deployment without re-provisioning SNO from scratch.
+
+### 1. Prepare the environment
+
+Edit `~/configs/zuul_vars.yaml` to skip SNO re-provisioning and OpenStack
+cleanup (there is nothing to clean up if doing the first RHOSO deployment):
+
+```yaml
+cifmw_cleanup_architecture: false
+reuse_ocp: true
+run_cleanup: false
+```
+
+### 2. Run the playbook
+
+From the `ci-framework-jobs` checkout on the Zuul controller:
+
+```bash
+cd ~/src/gitlab.cee.redhat.com/ci-framework/ci-framework-jobs
+
+ansible-playbook playbooks/baremetal/run-sno-bm.yaml \
+  --flush-cache \
+  -e@/home/zuul/configs/default-vars.yaml \
+  -e@/home/zuul/src/gitlab.cee.redhat.com/ci-framework/ci-framework-jobs/scenarios/test/test-tool-versions.yaml \
+  -e@/home/zuul/src/gitlab.cee.redhat.com/ci-framework/ci-framework-jobs/scenarios/uni/default-vars.yaml \
+  -e@/home/zuul/src/gitlab.cee.redhat.com/ci-framework/ci-framework-jobs/scenarios/baremetal/vaf/rhel-vars.yaml \
+  -e@/home/zuul/configs/networking_defintion.yaml \
+  -e@/home/zuul/configs/nmstate_config.yaml \
+  -e@/home/zuul/configs/scenario-vars.yaml \
+  -e@/home/zuul/configs/secrets.yaml \
+  -e@/home/zuul/configs/vars.yaml \
+  -e@/home/zuul/configs/zuul_vars.yaml
+```
+
+With `reuse_ocp: true`, `run-sno-bm.yaml` will:
+
+1. Copy the SNO kubeconfig from `dev-scripts/ocp/<cluster>/auth/` to
+   `~/.kube/config` and `oc login` as `kubeadmin` with
+   `--insecure-skip-tls-verify` (agent-based installer uses self-signed certs)
+2. Generate `openshift-login-params.yml` via the `openshift_login` role
+3. Write a static inventory mapping `controller-0` to `localhost`
+4. Run `deploy-edpm-reuse.yaml` instead of `reproducer.yml`, which skips
+   OCP provisioning and goes straight to architecture deployment
+
+### 3. Subsequent iterations
+
+Once the first EDPM deployment succeeds, set `cifmw_cleanup_architecture`
+back to `true` so that `cleanup-architecture.sh` tears down the previous
+OpenStack deployment before re-applying:
+
+```yaml
+cifmw_cleanup_architecture: true
+reuse_ocp: true
+run_cleanup: false
+```
+
+### 4. Quick OCP and agent/SNO SSH access
+
+The SNO kubeconfig and kubeadmin password live in the dev-scripts auth
+directory:
+
+```bash
+export KUBECONFIG=~/src/github.com/openshift-metal3/dev-scripts/ocp/<cluster>/auth/kubeconfig
+oc login -u kubeadmin \
+  -p "$(cat ~/src/github.com/openshift-metal3/dev-scripts/ocp/<cluster>/auth/kubeadmin-password)" \
+  --insecure-skip-tls-verify=true
+oc get nodes
+```
+
+For ssh access into SNO host:
+```bash
+ssh -i ~/ci-framework-data/artifacts/agent-install/agent_ssh_key \
+  core@<cluster>.<cifmw_bm_agent_base_domain>
+```
+
+Replace `<cluster>` with the value of `cifmw_bm_agent_cluster_name` (e.g.
+`sno`).
+
+For ssh into agent-install appliance, use `-i ci-framework-data/artifacts/cifmw_ocp_access_key`.
+You can also get autologin and debug shell on tty6 of the agent with:
+```bash
+cifmw_bm_agent_core_password: changeme
+cifmw_bm_agent_live_debug: true
+```
+
 ## References
 
 * [ci-framework reproducer documentation](https://ci-framework.readthedocs.io/en/latest/roles/reproducer.html)

roles/bm_sno/defaults/main.yml

@@ -6,3 +6,4 @@ cifmw_bm_agent_core_password: "redhat"
 cifmw_bm_agent_live_debug: false
 cifmw_bm_agent_vmedia_uefi_path: ""
 cifmw_bm_agent_enable_usb_boot: true
+cifmw_bm_agent_disabled_ifaces: []

roles/bm_sno/tasks/main.yml

@@ -219,6 +219,13 @@
     regexp: '^pullSecret:'
     line: "pullSecret: '<REDACTED>'"
 
+- name: Ensure nmstatectl is available for agent-config networkConfig validation
+  become: true
+  ansible.builtin.package:
+    name: nmstate
+    state: present
+  when: cifmw_bm_agent_disabled_ifaces | default([]) | length > 0
+
 - name: Generate agent ISO
   ansible.builtin.command:
     cmd: "{{ _work_dir }}/openshift-install agent create image --dir {{ _work_dir }}"

roles/bm_sno/templates/agent_config.yaml.j2

@@ -8,3 +8,22 @@ hosts:
     interfaces:
       - name: {{ _node_iface }}
         macAddress: {{ _node_mac }}
+    networkConfig:
+      interfaces:
+        - name: {{ _node_iface }}
+          type: ethernet
+          state: up
+          ipv4:
+            enabled: true
+            dhcp: true
+          ipv6:
+            enabled: false
+{% for iface in cifmw_bm_agent_disabled_ifaces | default([]) %}
+        - name: {{ iface }}
+          type: ethernet
+          state: up
+          ipv4:
+            enabled: false
+          ipv6:
+            enabled: false
+{% endfor %}

roles/cifmw_setup/tasks/deploy_architecture.yml

@@ -54,18 +54,26 @@
         # - controller (in Zuul)
         # - controller-0.foo.com (FQDN)
         # - controller-0 (no FQDN) - compatibility match
+        # Falls back to the play host (e.g. localhost) when no controller
+        # host exists in inventory, which is the case for bare metal SNO.
         _ctl_data: >-
           {{
             hostvars | dict2items |
             selectattr('key', 'match', '^(controller-0.*|controller)') |
-            map(attribute='value') | first
+            map(attribute='value') | first |
+            default(hostvars[inventory_hostname])
           }}
         _ifaces_vars: >-
           {{
             _ctl_data.ansible_interfaces |
             map('regex_replace', '^(.*)$', 'ansible_\1')
           }}
-        _controller_host: "{{ _ctl_data.ansible_host }}"
+        _controller_host: >-
+          {{
+            _ctl_data.ansible_host |
+            default(_ctl_data.ansible_default_ipv4.address |
+                    default(inventory_hostname))
+          }}
       block:
         - name: Generate needed facts out of local files
           vars:
@@ -177,6 +185,7 @@
 
 - name: Reduce OCP cluster size in architecture
   when:
+    - "'ocps' in groups"
     - groups['ocps'] | length == 1
   ansible.builtin.import_role:
     name: kustomize_deploy

roles/reproducer/tasks/push_code.yml

@@ -138,6 +138,7 @@
     - name: Sync local repositories to ansible controller
       delegate_to: localhost
       when:
+        - not (cifmw_bm_sno | default(false) | bool)
         - item.src is abs or item.src is not match('.*:.*')
       ansible.posix.synchronize:
         src: "{{ item.src }}"

roles/reproducer/tasks/reuse_main.yaml

@@ -54,6 +54,7 @@
       }}
 
 - name: Set _use_crc based on actual layout
+  when: not (cifmw_bm_sno | default(false) | bool)
   tags:
     - always
   vars:
@@ -76,6 +77,15 @@
     _use_ocp: "{{ _use_ocp }}"
     _has_openshift: "{{ _use_ocp or _use_crc }}"
 
+- name: Set _has_openshift for bare metal SNO
+  when: cifmw_bm_sno | default(false) | bool
+  tags:
+    - always
+  ansible.builtin.set_fact:
+    _use_crc: false
+    _use_ocp: false
+    _has_openshift: true
+
 - name: Ensure directories are present
   tags:
     - always

scenarios/reproducers/README.md

@@ -1,5 +1,20 @@
-# Reproducer scenarios usage
+# Reproducer scenarios
 
-These environment files should be used with the "reproducer.yml" playbook.
-Please refer to [the doc](https://ci-framework.readthedocs.io/en/latest/roles/reproducer.html)
-about its usage.
+These environment files define validated architecture scenarios for the
+virtual reproducer (reproducer.yml playbook). Each file sets
+`cifmw_libvirt_manager_configuration` (libvirt networks and VMs),
+`cifmw_devscripts_config_overrides`, and other deployment parameters for
+a specific architecture variant (e.g. HCI, SNO, multi-site).
+
+The `cifmw_architecture_scenario` variable selects which file to load.
+For example, `cifmw_architecture_scenario: va-hci-minimal-sno` loads
+`va-hci-minimal-sno.yml`.
+
+Baremetal deployments (e.g. ci-framework-jobs BM SNO) do not use the
+`cifmw_libvirt_manager_configuration` from these files. They provide
+their own networking, kustomization, and scenario variables via Zuul
+`variable_files` / `variable_files_dirs`, which take precedence as
+Ansible extra vars.
+
+Please refer to [the reproducer documentation](https://ci-framework.readthedocs.io/en/latest/roles/reproducer.html)
+for usage details.