| |
| ====== |
| ironic |
| ====== |
| |
| Service ironic description |
| |
| Sample pillars |
| ============== |
| |
| Single ironic service |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| enabled: true |
| version: mitaka |
| bind: |
| address: 0.0.0.0 |
| port: 6385 |
| concurrency: |
| lock_path: '/var/lib/ironic/tmp' |
| database: |
| engine: mysql |
| host: localhost |
| port: 3306 |
| name: ironic |
| user: ironic |
| password: password |
| identity: |
| engine: keystone |
| region: RegionOne |
| host: localhost |
| port: 35357 |
| user: ironic |
| password: password |
| tenant: service |
| message_queue: |
| engine: rabbitmq |
| host: localhost |
| port: 5672 |
| user: openstack |
| password: password |
| virtual_host: '/openstack' |
| conductor: |
| enabled: true |
| version: mitaka |
| concurrency: |
| lock_path: '/var/lib/ironic/tmp' |
| database: |
| engine: mysql |
| host: localhost |
| port: 3306 |
| name: ironic |
| user: ironic |
| password: password |
| message_queue: |
| engine: rabbitmq |
| host: localhost |
| port: 5672 |
| user: openstack |
| password: password |
| virtual_host: '/openstack' |
| |
| Standalone ironic without keystone |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| version: mitaka |
| enabled: true |
| bind: |
| address: 0.0.0.0 |
| port: 6385 |
| database: |
| engine: mysql |
| host: localhost |
| port: 3306 |
| name: ironic |
| user: ironic |
| password: password |
| identity: |
| engine: noauth |
| message_queue: |
| engine: rabbitmq |
| host: localhost |
| port: 5672 |
| user: openstack |
| password: password |
| virtual_host: '/openstack' |
| conductor: |
| enabled: true |
| version: mitaka |
| database: |
| engine: mysql |
| host: localhost |
| port: 3306 |
| name: ironic |
| user: ironic |
| password: password |
| message_queue: |
| engine: rabbitmq |
| host: localhost |
| port: 5672 |
| user: openstack |
| password: password |
| virtual_host: '/openstack' |
| |
| Configuration of policy.json file: |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| ... |
| api_type: deploy |
| policy: |
| 'baremetal:node:create': 'rule:is_admin' |
| 'baremetal:node:delete': 'rule:is_admin' |
| # Add key without value to remove line from policy.json |
| 'baremetal:node:update': |
| |
| Enable x509 and ssl communication between Ironic and Galera cluster. |
| --------------------- |
| By default communication between Ironic and Galera is unsecure. |
| |
| ironic: |
| api: |
| database: |
| x509: |
| enabled: True |
| conductor: |
| database: |
| x509: |
| enabled: True |
| |
| You able to set custom certificates in pillar: |
| |
| ironic: |
| api: |
| database: |
| x509: |
| cacert: (certificate content) |
| cert: (certificate content) |
| key: (certificate content) |
| conductor: |
| database: |
| x509: |
| cacert: (certificate content) |
| cert: (certificate content) |
| key: (certificate content) |
| |
| You can read more about it here: |
| https://docs.openstack.org/security-guide/databases/database-access-control.html |
| |
| Enable x509 and ssl communication between Ironic and Rabbitmq. |
| --------------------- |
| By default communication between Ironic and Rabbitmq is unsecure. |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| message_queue: |
| x509: |
| enabled: True |
| conductor: |
| message_queue: |
| x509: |
| enabled: True |
| |
| You able to set custom certificates in pillar: |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| message_queue: |
| x509: |
| cacert: (certificate content) |
| cert: (certificate content) |
| key: (certificate content) |
| conductor: |
| message_queue: |
| x509: |
| cacert: (certificate content) |
| cert: (certificate content) |
| key: (certificate content) |
| |
| You can read more about it here: |
| https://docs.openstack.org/security-guide/messaging/security.html |
| |
| Ironic service with cache and security enabled |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| enabled: true |
| version: pike |
| cache: |
| engine: memcached |
| members: |
| - host: 127.0.0.1 |
| port: 11211 |
| - host: 127.0.0.1 |
| port: 11211 |
| security: |
| enabled: true |
| strategy: ENCRYPT |
| secret_key: secret |
| |
| |
| Enable serial console for Baremetal Nodes |
| ----------------------------------------- |
| |
| .. code-block:: yaml |
| |
| ironic: |
| conductor: |
| console: |
| terminal: shellinaboxd |
| terminal_cert_dir: /tmp/ca |
| terminal_timeout: 10 |
| subprocess_checking_interval: 1 |
| subprocess_timeout: 10 |
| kill_timeout: 1 |
| socat_address: 127.0.0.1 |
| |
| You can read more info about it here: |
| https://docs.openstack.org/ironic/pike/admin/console.html#node-serial-console |
| |
| |
| Ensure nodes are in target state (available). |
| Starting from 1.11 API microversion newly-created node is moved to `enroll` |
| state. To move it to available the following client pillar might be used: |
| |
| .. code-block:: yaml |
| |
| ironic: |
| client: |
| node_state_transition: |
| enabled: true |
| enroll_to_available: |
| provision_state: 'enroll' |
| pool_size: 5 |
| sleep_time: 10 |
| timeout: 15 |
| |
| Change default options using configmap template settings |
| ======================================================== |
| |
| .. code-block:: yaml |
| |
| ironic: |
| api: |
| configmap: |
| DEFAULT: |
| enabled_drivers: pxe_ipmitool |
| enabled_hardware_types: ipmi |
| enabled_boot_interfaces: pxe |
| api: |
| host_ip: 0.0.0.0 |
| port: 6385 |
| max_limit: 1000 |
| conductor: |
| configmap: |
| DEFAULT: |
| enabled_drivers: pxe_ipmitool |
| enabled_hardware_types: ipmi |
| enabled_boot_interfaces: pxe |
| disk_partitioner: |
| check_device_interval: 1 |
| check_device_max_retries: 20 |
| disk_utils: |
| efi_system_partition_size: 200 |
| bios_boot_partition_size: 1 |
| |
| Enable direct http deploy feature |
| ======================================================== |
| |
| .. code-block:: yaml |
| |
| ironic: |
| conductor: |
| image_download_source: http |
| |
| Upgrades |
| ======== |
| |
| Each openstack formula provide set of phases (logical blocks) that will help to |
| build flexible upgrade orchestration logic for particular components. The list |
| of phases and theirs descriptions are listed in table below: |
| |
| +-------------------------------+------------------------------------------------------+ |
| | State | Description | |
| +===============================+======================================================+ |
| | <app>.upgrade.service_running | Ensure that all services for particular application | |
| | | are enabled for autostart and running | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.service_stopped | Ensure that all services for particular application | |
| | | disabled for autostart and dead | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.pkgs_latest | Ensure that packages used by particular application | |
| | | are installed to latest available version. | |
| | | This will not upgrade data plane packages like qemu | |
| | | and openvswitch as usually minimal required version | |
| | | in openstack services is really old. The data plane | |
| | | packages should be upgraded separately by `apt-get | |
| | | upgrade` or `apt-get dist-upgrade` | |
| | | Applying this state will not autostart service. | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.render_config | Ensure configuration is rendered actual version. + |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.pre | We assume this state is applied on all nodes in the | |
| | | cloud before running upgrade. | |
| | | Only non destructive actions will be applied during | |
| | | this phase. Perform service built in service check | |
| | | like (keystone-manage doctor and nova-status upgrade)| |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this | |
| | | phase resources will be gracefully removed from | |
| | | current node if it is allowed. Services for upgraded | |
| | | application will be set to admin disabled state to | |
| | | make sure node will not participate in resources | |
| | | scheduling. For example on gtw nodes this will set | |
| | | all agents to admin disable state and will move all | |
| | | routers to other agents. | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.upgrade | This state will basically upgrade application on | |
| | | particular target. Stop services, render | |
| | | configuration, install new packages, run offline | |
| | | dbsync (for ctl), start services. Data plane should | |
| | | not be affected, only OpenStack python services. | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.upgrade.post | Add services back to scheduling. | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.post | This phase should be launched only when upgrade of | |
| | | the cloud is completed. Cleanup temporary files, | |
| | | perform other post upgrade tasks. | |
| +-------------------------------+------------------------------------------------------+ |
| | <app>.upgrade.verify | Here we will do basic health checks (API CRUD | |
| | | operations, verify do not have dead network | |
| | | agents/compute services) | |
| +-------------------------------+------------------------------------------------------+ |
| |
| Upgrade pillar example: |
| ironic: |
| upgrade: |
| enabled: True |
| old_release: pike |
| new_release: queens |