Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / ironic / 22f94f5b5397e6be5d611f815c20dcb798d9a81e / . / README.rst
blob: 4d76b859369269770c6442faf4b05213ad67dd2b [file] [log] [blame]
======
ironic
======
Service ironic description
Sample pillars
==============
Single ironic service
.. code-block:: yaml
ironic:
api:
enabled: true
version: mitaka
bind:
address: 0.0.0.0
port: 6385
database:
engine: mysql
host: localhost
port: 3306
name: ironic
user: ironic
password: password
identity:
engine: keystone
region: RegionOne
host: localhost
port: 35357
user: ironic
password: password
tenant: service
message_queue:
engine: rabbitmq
host: localhost
port: 5672
user: openstack
password: password
virtual_host: '/openstack'
conductor:
enabled: true
version: mitaka
database:
engine: mysql
host: localhost
port: 3306
name: ironic
user: ironic
password: password
message_queue:
engine: rabbitmq
host: localhost
port: 5672
user: openstack
password: password
virtual_host: '/openstack'
Standalone ironic without keystone
.. code-block:: yaml
ironic:
api:
version: mitaka
enabled: true
bind:
address: 0.0.0.0
port: 6385
database:
engine: mysql
host: localhost
port: 3306
name: ironic
user: ironic
password: password
identity:
engine: noauth
message_queue:
engine: rabbitmq
host: localhost
port: 5672
user: openstack
password: password
virtual_host: '/openstack'
conductor:
enabled: true
version: mitaka
database:
engine: mysql
host: localhost
port: 3306
name: ironic
user: ironic
password: password
message_queue:
engine: rabbitmq
host: localhost
port: 5672
user: openstack
password: password
virtual_host: '/openstack'
Enable x509 and ssl communication between Ironic and Galera cluster.
---------------------
By default communication between Ironic and Galera is unsecure.
ironic:
api:
database:
x509:
enabled: True
conductor:
database:
x509:
enabled: True
You able to set custom certificates in pillar:
ironic:
api:
database:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
conductor:
database:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
Enable x509 and ssl communication between Ironic and Rabbitmq.
---------------------
By default communication between Ironic and Rabbitmq is unsecure.
.. code-block:: yaml
ironic:
api:
message_queue:
x509:
enabled: True
conductor:
message_queue:
x509:
enabled: True
You able to set custom certificates in pillar:
.. code-block:: yaml
ironic:
api:
message_queue:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
conductor:
message_queue:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
You can read more about it here:
https://docs.openstack.org/security-guide/messaging/security.html
Ironic service with cache and security enabled
.. code-block:: yaml
ironic:
api:
enabled: true
version: pike
cache:
engine: memcached
members:
- host: 127.0.0.1
port: 11211
- host: 127.0.0.1
port: 11211
security:
enabled: true
strategy: ENCRYPT
secret_key: secret
Enable serial console for Baremetal Nodes
-----------------------------------------
.. code-block:: yaml
ironic:
conductor:
console:
terminal: shellinaboxd
terminal_cert_dir: /tmp/ca
terminal_timeout: 10
subprocess_checking_interval: 1
subprocess_timeout: 10
socat_address: 127.0.0.1
You can read more info about it here:
https://docs.openstack.org/ironic/pike/admin/console.html#node-serial-console
Ensure nodes are in target state (available).
Starting from 1.11 API microversion newly-created node is moved to `enroll`
state. To move it to available the following client pillar might be used:
.. code-block:: yaml
ironic:
client:
node_state_transition:
enabled: true
enroll_to_available:
provision_state: 'enroll'
pool_size: 5
sleep_time: 10
timeout: 15