diff --git a/ironic/files/rocky/ironic.conf b/ironic/files/rocky/ironic.conf
new file mode 100644
index 0000000..d5a8a7a
--- /dev/null
+++ b/ironic/files/rocky/ironic.conf
@@ -0,0 +1,3079 @@
+{%- from "ironic/map.jinja" import api,conductor,upgrade with context -%}
+{%- if api.get("enabled", False) %}
+  {%- set ironic = api %}
+{%- elif conductor.get('enabled', False) %}
+  {%- set ironic = conductor %}
+{%- endif %}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if ironic.database.get('x509',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ ironic.database.x509.ca_file ~ '&ssl_cert=' ~ ironic.database.x509.cert_file ~ '&ssl_key=' ~ ironic.database.x509.key_file %}
+{%- elif ironic.database.get('ssl',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ ironic.database.ssl.get('cacert_file', ironic.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
+log_dir = /var/log/ironic
+
+#
+# From ironic
+#
+
+# Authentication strategy used by ironic-api. "noauth" should
+# not be used in a production environment because all
+# authentication will be disabled. (string value)
+# Possible values:
+# noauth - no authentication
+# keystone - use the Identity service for authentication
+#auth_strategy = keystone
+{%- if ironic.identity is defined %}
+auth_strategy = {{ ironic.identity.engine }}
+{%- else %}
+#auth_strategy = keystone
+{%- endif %}
+
+# Return server tracebacks in the API response for any error
+# responses. WARNING: this is insecure and should not be used
+# in a production environment. (boolean value)
+#debug_tracebacks_in_api = false
+
+# Enable pecan debug mode. WARNING: this is insecure and
+# should not be used in a production environment. (boolean
+# value)
+#pecan_debug = false
+
+# Resource class to use for new nodes when no resource class
+# is provided in the creation request. (string value)
+#default_resource_class = <None>
+
+# DEPRECATED: This option is left for a start up check only.
+# Any non-empty value will prevent the conductor from
+# starting. (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Hardware types should be used instead of classic
+# drivers. They are enabled via the enabled_hardware_types
+# option.
+{%- if conductor.get('enabled_drivers') %}
+enabled_drivers = {{ ','.join(conductor.enabled_drivers) }}
+{%- else %}
+#enabled_drivers = pxe_ipmitool
+{%- endif %}
+
+# Specify the list of hardware types to load during service
+# initialization. Missing hardware types, or hardware types
+# which fail to initialize, will prevent the conductor service
+# from starting. This option defaults to a recommended set of
+# production-oriented hardware types. A complete list of
+# hardware types present on your system may be found by
+# enumerating the "ironic.hardware.types" entrypoint. (list
+# value)
+{%- if conductor.get('enabled_hardware_types') %}
+enabled_hardware_types = {{ ','.join(conductor.enabled_hardware_types) }}
+{%- else %}
+#enabled_hardware_types = ipmi
+{%- endif %}
+
+# Specify the list of bios interfaces to load during service
+# initialization. Missing bios interfaces, or bios interfaces
+# which fail to initialize, will prevent the ironic-conductor
+# service from starting. At least one bios interface that is
+# supported by each enabled hardware type must be enabled
+# here, or the ironic-conductor service will not start. Must
+# not be an empty list. The default value is a recommended set
+# of production-oriented bios interfaces. A complete list of
+# bios interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.bios"
+# entrypoint. When setting this value, please make sure that
+# every enabled hardware type will have the same set of
+# enabled bios interfaces on every ironic-conductor service.
+# (list value)
+#enabled_bios_interfaces = no-bios
+
+# Default bios interface to be used for nodes that do not have
+# bios_interface field set. A complete list of bios interfaces
+# present on your system may be found by enumerating the
+# "ironic.hardware.interfaces.bios" entrypoint. (string value)
+#default_bios_interface = <None>
+
+# Specify the list of boot interfaces to load during service
+# initialization. Missing boot interfaces, or boot interfaces
+# which fail to initialize, will prevent the ironic-conductor
+# service from starting. At least one boot interface that is
+# supported by each enabled hardware type must be enabled
+# here, or the ironic-conductor service will not start. Must
+# not be an empty list. The default value is a recommended set
+# of production-oriented boot interfaces. A complete list of
+# boot interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.boot"
+# entrypoint. When setting this value, please make sure that
+# every enabled hardware type will have the same set of
+# enabled boot interfaces on every ironic-conductor service.
+# (list value)
+{%- if conductor.get('enabled_boot_interfaces') %}
+enabled_boot_interfaces = {{ ','.join(conductor.enabled_boot_interfaces) }}
+{%- else %}
+#enabled_boot_interfaces = pxe
+{%- endif %}
+
+# Default boot interface to be used for nodes that do not have
+# boot_interface field set. A complete list of boot interfaces
+# present on your system may be found by enumerating the
+# "ironic.hardware.interfaces.boot" entrypoint. (string value)
+{%- if conductor.get('default_boot_interface') %}
+default_boot_interface = {{ conductor.default_boot_interface }}
+{%- else %}
+#default_boot_interface = <None>
+{%- endif %}
+
+# Specify the list of console interfaces to load during
+# service initialization. Missing console interfaces, or
+# console interfaces which fail to initialize, will prevent
+# the ironic-conductor service from starting. At least one
+# console interface that is supported by each enabled hardware
+# type must be enabled here, or the ironic-conductor service
+# will not start. Must not be an empty list. The default value
+# is a recommended set of production-oriented console
+# interfaces. A complete list of console interfaces present on
+# your system may be found by enumerating the
+# "ironic.hardware.interfaces.console" entrypoint. When
+# setting this value, please make sure that every enabled
+# hardware type will have the same set of enabled console
+# interfaces on every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_console_interfaces') %}
+enabled_console_interfaces = {{ ','.join(conductor.enabled_console_interfaces) }}
+{%- else %}
+#enabled_console_interfaces = no-console
+{%- endif %}
+
+# Default console interface to be used for nodes that do not
+# have console_interface field set. A complete list of console
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.console"
+# entrypoint. (string value)
+{%- if conductor.get('default_console_interface') %}
+default_console_interface = {{ conductor.default_console_interface }}
+{%- else %}
+#default_console_interface = <None>
+{%- endif %}
+
+# Specify the list of deploy interfaces to load during service
+# initialization. Missing deploy interfaces, or deploy
+# interfaces which fail to initialize, will prevent the
+# ironic-conductor service from starting. At least one deploy
+# interface that is supported by each enabled hardware type
+# must be enabled here, or the ironic-conductor service will
+# not start. Must not be an empty list. The default value is a
+# recommended set of production-oriented deploy interfaces. A
+# complete list of deploy interfaces present on your system
+# may be found by enumerating the
+# "ironic.hardware.interfaces.deploy" entrypoint. When setting
+# this value, please make sure that every enabled hardware
+# type will have the same set of enabled deploy interfaces on
+# every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_deploy_interfaces') %}
+enabled_deploy_interfaces = {{ ','.join(conductor.enabled_deploy_interfaces) }}
+{%- else %}
+#enabled_deploy_interfaces = iscsi,direct
+{%- endif %}
+
+# Default deploy interface to be used for nodes that do not
+# have deploy_interface field set. A complete list of deploy
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.deploy"
+# entrypoint. (string value)
+{%- if conductor.get('default_deploy_interface') %}
+default_deploy_interface = {{ conductor.default_deploy_interface }}
+{%- else %}
+#default_deploy_interface = <None>
+{%- endif %}
+
+# Specify the list of inspect interfaces to load during
+# service initialization. Missing inspect interfaces, or
+# inspect interfaces which fail to initialize, will prevent
+# the ironic-conductor service from starting. At least one
+# inspect interface that is supported by each enabled hardware
+# type must be enabled here, or the ironic-conductor service
+# will not start. Must not be an empty list. The default value
+# is a recommended set of production-oriented inspect
+# interfaces. A complete list of inspect interfaces present on
+# your system may be found by enumerating the
+# "ironic.hardware.interfaces.inspect" entrypoint. When
+# setting this value, please make sure that every enabled
+# hardware type will have the same set of enabled inspect
+# interfaces on every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_inspect_interfaces') %}
+enabled_inspect_interfaces = {{ ','.join(conductor.enabled_inspect_interfaces) }}
+{%- else %}
+#enabled_inspect_interfaces = no-inspect
+{%- endif %}
+
+# Default inspect interface to be used for nodes that do not
+# have inspect_interface field set. A complete list of inspect
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.inspect"
+# entrypoint. (string value)
+{%- if conductor.get('default_inspect_interface') %}
+default_inspect_interface = {{ conductor.default_inspect_interface }}
+{%- else %}
+#default_inspect_interface = <None>
+{%- endif %}
+
+# Specify the list of management interfaces to load during
+# service initialization. Missing management interfaces, or
+# management interfaces which fail to initialize, will prevent
+# the ironic-conductor service from starting. At least one
+# management interface that is supported by each enabled
+# hardware type must be enabled here, or the ironic-conductor
+# service will not start. Must not be an empty list. The
+# default value is a recommended set of production-oriented
+# management interfaces. A complete list of management
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.management"
+# entrypoint. When setting this value, please make sure that
+# every enabled hardware type will have the same set of
+# enabled management interfaces on every ironic-conductor
+# service. (list value)
+{%- if conductor.get('enabled_management_interfaces') %}
+enabled_management_interfaces = {{ ','.join(conductor.enabled_management_interfaces) }}
+{%- else %}
+#enabled_management_interfaces = ipmitool
+{%- endif %}
+
+# Default management interface to be used for nodes that do
+# not have management_interface field set. A complete list of
+# management interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.management"
+# entrypoint. (string value)
+{%- if conductor.get('default_management_interface') %}
+default_management_interface = {{ conductor.default_management_interface }}
+{%- else %}
+#default_management_interface = <None>
+{%- endif %}
+
+# Specify the list of network interfaces to load during
+# service initialization. Missing network interfaces, or
+# network interfaces which fail to initialize, will prevent
+# the ironic-conductor service from starting. At least one
+# network interface that is supported by each enabled hardware
+# type must be enabled here, or the ironic-conductor service
+# will not start. Must not be an empty list. The default value
+# is a recommended set of production-oriented network
+# interfaces. A complete list of network interfaces present on
+# your system may be found by enumerating the
+# "ironic.hardware.interfaces.network" entrypoint. When
+# setting this value, please make sure that every enabled
+# hardware type will have the same set of enabled network
+# interfaces on every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_network_interfaces') %}
+enabled_network_interfaces = {{ ','.join(conductor.enabled_network_interfaces) }}
+{%- else %}
+#enabled_network_interfaces = flat,noop
+{%- endif %}
+
+# Default network interface to be used for nodes that do not
+# have network_interface field set. A complete list of network
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.network"
+# entrypoint. (string value)
+{%- if conductor.get('default_network_interface') %}
+default_network_interface = {{ conductor.default_network_interface }}
+{%- else %}
+#default_network_interface = <None>
+{%- endif %}
+
+# Specify the list of power interfaces to load during service
+# initialization. Missing power interfaces, or power
+# interfaces which fail to initialize, will prevent the
+# ironic-conductor service from starting. At least one power
+# interface that is supported by each enabled hardware type
+# must be enabled here, or the ironic-conductor service will
+# not start. Must not be an empty list. The default value is a
+# recommended set of production-oriented power interfaces. A
+# complete list of power interfaces present on your system may
+# be found by enumerating the
+# "ironic.hardware.interfaces.power" entrypoint. When setting
+# this value, please make sure that every enabled hardware
+# type will have the same set of enabled power interfaces on
+# every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_power_interfaces') %}
+enabled_power_interfaces = {{ ','.join(conductor.enabled_power_interfaces) }}
+{%- else %}
+#enabled_power_interfaces = ipmitool
+{%- endif %}
+
+# Default power interface to be used for nodes that do not
+# have power_interface field set. A complete list of power
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.power"
+# entrypoint. (string value)
+{%- if conductor.get('default_power_interface') %}
+default_power_interface = {{ conductor.default_power_interface }}
+{%- else %}
+#default_power_interface = <None>
+{%- endif %}
+
+# Specify the list of raid interfaces to load during service
+# initialization. Missing raid interfaces, or raid interfaces
+# which fail to initialize, will prevent the ironic-conductor
+# service from starting. At least one raid interface that is
+# supported by each enabled hardware type must be enabled
+# here, or the ironic-conductor service will not start. Must
+# not be an empty list. The default value is a recommended set
+# of production-oriented raid interfaces. A complete list of
+# raid interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.raid"
+# entrypoint. When setting this value, please make sure that
+# every enabled hardware type will have the same set of
+# enabled raid interfaces on every ironic-conductor service.
+# (list value)
+{%- if conductor.get('enabled_raid_interfaces') %}
+enabled_raid_interfaces = {{ ','.join(conductor.enabled_raid_interfaces) }}
+{%- else %}
+#enabled_raid_interfaces = agent,no-raid
+{%- endif %}
+
+# Default raid interface to be used for nodes that do not have
+# raid_interface field set. A complete list of raid interfaces
+# present on your system may be found by enumerating the
+# "ironic.hardware.interfaces.raid" entrypoint. (string value)
+{%- if conductor.get('default_raid_interface') %}
+default_raid_interface = {{ conductor.default_raid_interface }}
+{%- else %}
+#default_raid_interface = <None>
+{%- endif %}
+
+# Specify the list of rescue interfaces to load during service
+# initialization. Missing rescue interfaces, or rescue
+# interfaces which fail to initialize, will prevent the
+# ironic-conductor service from starting. At least one rescue
+# interface that is supported by each enabled hardware type
+# must be enabled here, or the ironic-conductor service will
+# not start. Must not be an empty list. The default value is a
+# recommended set of production-oriented rescue interfaces. A
+# complete list of rescue interfaces present on your system
+# may be found by enumerating the
+# "ironic.hardware.interfaces.rescue" entrypoint. When setting
+# this value, please make sure that every enabled hardware
+# type will have the same set of enabled rescue interfaces on
+# every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_rescue_interfaces') %}
+enabled_rescue_interfaces = {{ ','.join(conductor.enabled_rescue_interfaces) }}
+{%- else %}
+#enabled_rescue_interfaces = no-rescue
+{%- endif %}
+
+# Default rescue interface to be used for nodes that do not
+# have rescue_interface field set. A complete list of rescue
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.rescue"
+# entrypoint. (string value)
+{%- if conductor.get('default_rescue_interface') %}
+default_rescue_interface = {{ conductor.default_rescue_interface }}
+{%- else %}
+#default_rescue_interface = <None>
+{%- endif %}
+
+# Specify the list of storage interfaces to load during
+# service initialization. Missing storage interfaces, or
+# storage interfaces which fail to initialize, will prevent
+# the ironic-conductor service from starting. At least one
+# storage interface that is supported by each enabled hardware
+# type must be enabled here, or the ironic-conductor service
+# will not start. Must not be an empty list. The default value
+# is a recommended set of production-oriented storage
+# interfaces. A complete list of storage interfaces present on
+# your system may be found by enumerating the
+# "ironic.hardware.interfaces.storage" entrypoint. When
+# setting this value, please make sure that every enabled
+# hardware type will have the same set of enabled storage
+# interfaces on every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_storage_interfaces') %}
+enabled_storage_interfaces = {{ ','.join(conductor.enabled_storage_interfaces) }}
+{%- else %}
+#enabled_storage_interfaces = noop
+{%- endif %}
+
+# Default storage interface to be used for nodes that do not
+# have storage_interface field set. A complete list of storage
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.storage"
+# entrypoint. (string value)
+{%- if conductor.get('default_storage_interface') %}
+default_storage_interface = {{ ironic.condcutor.default_storage_interface }}
+{%- else %}
+#default_storage_interface = <None>
+{%- endif %}
+
+# Specify the list of vendor interfaces to load during service
+# initialization. Missing vendor interfaces, or vendor
+# interfaces which fail to initialize, will prevent the
+# ironic-conductor service from starting. At least one vendor
+# interface that is supported by each enabled hardware type
+# must be enabled here, or the ironic-conductor service will
+# not start. Must not be an empty list. The default value is a
+# recommended set of production-oriented vendor interfaces. A
+# complete list of vendor interfaces present on your system
+# may be found by enumerating the
+# "ironic.hardware.interfaces.vendor" entrypoint. When setting
+# this value, please make sure that every enabled hardware
+# type will have the same set of enabled vendor interfaces on
+# every ironic-conductor service. (list value)
+{%- if conductor.get('enabled_vendor_interfaces') %}
+enabled_vendor_interfaces = {{ ','.join(conductor.enabled_vendor_interfaces) }}
+{%- else %}
+#enabled_vendor_interfaces = no-vendor
+{%- endif %}
+
+# Default vendor interface to be used for nodes that do not
+# have vendor_interface field set. A complete list of vendor
+# interfaces present on your system may be found by
+# enumerating the "ironic.hardware.interfaces.vendor"
+# entrypoint. (string value)
+{%- if conductor.get('default_vendor_interface') %}
+default_vendor_interface = {{ conductor.default_vendor_interface }}
+{%- else %}
+#default_vendor_interface = <None>
+{%- endif %}
+
+# Used if there is a formatting error when generating an
+# exception message (a programming error). If True, raise an
+# exception; if False, use the unformatted message. (boolean
+# value)
+#fatal_exception_format_errors = false
+
+# Exponent to determine number of hash partitions to use when
+# distributing load across conductors. Larger values will
+# result in more even distribution of load and less load when
+# rebalancing the ring, but more memory usage. Number of
+# partitions per conductor is (2^hash_partition_exponent).
+# This determines the granularity of rebalancing: given 10
+# hosts, and an exponent of the 2, there are 40 partitions in
+# the ring.A few thousand partitions should make rebalancing
+# smooth in most cases. The default is suitable for up to a
+# few hundred conductors. Configuring for too many partitions
+# has a negative impact on CPU usage. (integer value)
+#hash_partition_exponent = 5
+
+# [Experimental Feature] Number of hosts to map onto each hash
+# partition. Setting this to more than one will cause
+# additional conductor services to prepare deployment
+# environments and potentially allow the Ironic cluster to
+# recover more quickly if a conductor instance is terminated.
+# (integer value)
+#hash_distribution_replicas = 1
+
+# Time (in seconds) after which the hash ring is considered
+# outdated and is refreshed on the next access. (integer
+# value)
+#hash_ring_reset_interval = 15
+
+# If True, convert backing images to "raw" disk image format.
+# (boolean value)
+#force_raw_images = true
+
+# Path to isolinux binary file. (string value)
+#isolinux_bin = /usr/lib/syslinux/isolinux.bin
+
+# Template file for isolinux configuration file. (string
+# value)
+#isolinux_config_template = $pybasedir/common/isolinux_config.template
+
+# Template file for grub configuration file. (string value)
+#grub_config_template = $pybasedir/common/grub_conf.template
+
+# Path to ldlinux.c32 file. This file is required for syslinux
+# 5.0 or later. If not specified, the file is looked for in
+# "/usr/lib/syslinux/modules/bios/ldlinux.c32" and
+# "/usr/share/syslinux/ldlinux.c32". (string value)
+#ldlinux_c32 = <None>
+
+# Run image downloads and raw format conversions in parallel.
+# (boolean value)
+#parallel_image_downloads = false
+
+# IP address of this host. If unset, will determine the IP
+# programmatically. If unable to do so, will use "127.0.0.1".
+# (string value)
+{%- if conductor.get('my_ip') %}
+my_ip = {{ conductor.my_ip }}
+{%- else %}
+#my_ip = 127.0.0.1
+{%- endif %}
+
+# Specifies the minimum level for which to send notifications.
+# If not set, no notifications will be sent. The default is
+# for this option to be unset. (string value)
+# Possible values:
+# debug - "debug" level
+# info - "info" level
+# warning - "warning" level
+# error - "error" level
+# critical - "critical" level
+#notification_level = <None>
+
+# Directory where the ironic python module is installed.
+# (string value)
+#pybasedir = /usr/lib/python/site-packages/ironic/ironic
+
+# Directory where ironic binaries are installed. (string
+# value)
+#bindir = $pybasedir/bin
+
+# Top-level directory for maintaining ironic's state. (string
+# value)
+#state_path = $pybasedir
+
+# Default mode for portgroups. Allowed values can be found in
+# the linux kernel documentation on bonding:
+# https://www.kernel.org/doc/Documentation/networking/bonding.txt.
+# (string value)
+#default_portgroup_mode = active-backup
+
+# Name of this node. This can be an opaque identifier. It is
+# not necessarily a hostname, FQDN, or IP address. However,
+# the node name must be valid within an AMQP key, and if using
+# ZeroMQ (will be removed in the Stein release), a valid
+# hostname, FQDN, or IP address. (string value)
+#host = localhost
+
+# Used for rolling upgrades. Setting this option downgrades
+# (or pins) the Bare Metal API, the internal ironic RPC
+# communication, and the database objects to their respective
+# versions, so they are compatible with older services. When
+# doing a rolling upgrade from version N to version N+1, set
+# (to pin) this to N. To unpin (default), leave it unset and
+# the latest versions will be used. (string value)
+# Possible values:
+# rocky - "rocky" release
+# queens - "queens" release
+# 9.2 - "9.2" release
+# 11.1 - "11.1" release
+# 11.0 - "11.0" release
+# 10.1 - "10.1" release
+# 10.0 - "10.0" release
+# Note: This option can be changed without restarting.
+#pin_release_version = <None>
+{%- if upgrade.get('enabled', False) %}
+pin_release_version = {{ upgrade.old_release }}
+{%- endif %}
+
+# Path to the rootwrap configuration file to use for running
+# commands as root. (string value)
+#rootwrap_config = /etc/ironic/rootwrap.conf
+
+# Temporary working directory, default is Python temp dir.
+# (string value)
+#tempdir = /tmp
+
+{%- if ironic.logging is defined %}
+{%- set _data = ironic.logging %}
+{%- include "oslo_templates/files/rocky/oslo/_log.conf" %}
+{%- endif %}
+
+# If set to true, the logging level will be set to DEBUG
+# instead of the default INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+#debug = false
+
+{%- set _data = ironic.message_queue %}
+{%- include "oslo_templates/files/rocky/oslo/messaging/_default.conf" %}
+
+#
+# From oslo.service.periodic_task
+#
+
+# Some periodic tasks can be run in a separate process. Should
+# we run them here? (boolean value)
+#run_external_periodic_tasks = true
+
+#
+# From oslo.service.service
+#
+
+# Enable eventlet backdoor.  Acceptable values are 0, <port>,
+# and <start>:<end>, where 0 results in listening on a random
+# tcp port number; <port> results in listening on the
+# specified port number (and not enabling backdoor if that
+# port is in use); and <start>:<end> results in listening on
+# the smallest unused port number within the specified range
+# of port numbers.  The chosen port is displayed in the
+# service's log file. (string value)
+#backdoor_port = <None>
+
+# Enable eventlet backdoor, using the provided path as a unix
+# socket that can receive connections. This option is mutually
+# exclusive with 'backdoor_port' in that only one should be
+# provided. If both are provided then the existence of this
+# option overrides the usage of that option. (string value)
+#backdoor_socket = <None>
+
+# Enables or disables logging values of all registered options
+# when starting a service (at DEBUG level). (boolean value)
+#log_options = true
+
+# Specify a timeout after which a gracefully shutdown server
+# will exit. Zero value means endless wait. (integer value)
+#graceful_shutdown_timeout = 60
+
+
+[agent]
+
+#
+# From ironic
+#
+
+# Whether Ironic will manage booting of the agent ramdisk. If
+# set to False, you will need to configure your mechanism to
+# allow booting the agent ramdisk. (boolean value)
+#manage_agent_boot = true
+
+# The memory size in MiB consumed by agent when it is booted
+# on a bare metal node. This is used for checking if the image
+# can be downloaded and deployed on the bare metal node after
+# booting agent ramdisk. This may be set according to the
+# memory consumed by the agent ramdisk image. (integer value)
+#memory_consumed_by_agent = 0
+
+# Whether the agent ramdisk should stream raw images directly
+# onto the disk or not. By streaming raw images directly onto
+# the disk the agent ramdisk will not spend time copying the
+# image to a tmpfs partition (therefore consuming less memory)
+# prior to writing it to the disk. Unless the disk where the
+# image will be copied to is really slow, this option should
+# be set to True. Defaults to True. (boolean value)
+#stream_raw_images = true
+
+# Number of times to retry getting power state to check if
+# bare metal node has been powered off after a soft power off.
+# (integer value)
+#post_deploy_get_power_state_retries = 6
+
+# Amount of time (in seconds) to wait between polling power
+# state after trigger soft poweroff. (integer value)
+#post_deploy_get_power_state_retry_interval = 5
+
+# API version to use for communicating with the ramdisk agent.
+# (string value)
+#agent_api_version = v1
+
+# Whether Ironic should collect the deployment logs on
+# deployment failure (on_failure), always or never. (string
+# value)
+# Possible values:
+# always - always collect the logs
+# on_failure - only collect logs if there is a failure
+# never - never collect logs
+#deploy_logs_collect = on_failure
+
+# The name of the storage backend where the logs will be
+# stored. (string value)
+# Possible values:
+# local - store the logs locally
+# swift - store the logs in Object Storage service
+#deploy_logs_storage_backend = local
+
+# The path to the directory where the logs should be stored,
+# used when the deploy_logs_storage_backend is configured to
+# "local". (string value)
+#deploy_logs_local_path = /var/log/ironic/deploy
+
+# The name of the Swift container to store the logs, used when
+# the deploy_logs_storage_backend is configured to "swift".
+# (string value)
+#deploy_logs_swift_container = ironic_deploy_logs_container
+
+# Number of days before a log object is marked as expired in
+# Swift. If None, the logs will be kept forever or until
+# manually deleted. Used when the deploy_logs_storage_backend
+# is configured to "swift". (integer value)
+#deploy_logs_swift_days_to_expire = 30
+
+
+[ansible]
+
+#
+# From ironic
+#
+
+# Extra arguments to pass on every invocation of Ansible.
+# (string value)
+#ansible_extra_args = <None>
+
+# Set ansible verbosity level requested when invoking
+# "ansible-playbook" command. 4 includes detailed SSH session
+# logging. Default is 4 when global debug is enabled and 0
+# otherwise. (integer value)
+# Minimum value: 0
+# Maximum value: 4
+#verbosity = <None>
+
+# Path to "ansible-playbook" script. Default will search the
+# $PATH configured for user running ironic-conductor process.
+# Provide the full path when ansible-playbook is not in $PATH
+# or installed in not default location. (string value)
+#ansible_playbook_script = ansible-playbook
+
+# Path to directory with playbooks, roles and local inventory.
+# (string value)
+#playbooks_path = $pybasedir/drivers/modules/ansible/playbooks
+
+# Path to ansible configuration file. If set to empty, system
+# default will be used. (string value)
+#config_file_path = $pybasedir/drivers/modules/ansible/playbooks/ansible.cfg
+
+# Number of times to retry getting power state to check if
+# bare metal node has been powered off after a soft power off.
+# Value of 0 means do not retry on failure. (integer value)
+# Minimum value: 0
+#post_deploy_get_power_state_retries = 6
+
+# Amount of time (in seconds) to wait between polling power
+# state after trigger soft poweroff. (integer value)
+# Minimum value: 0
+#post_deploy_get_power_state_retry_interval = 5
+
+# Extra amount of memory in MiB expected to be consumed by
+# Ansible-related processes on the node. Affects decision
+# whether image will fit into RAM. (integer value)
+#extra_memory = 10
+
+# Skip verifying SSL connections to the image store when
+# downloading the image. Setting it to "True" is only
+# recommended for testing environments that use self-signed
+# certificates. (boolean value)
+#image_store_insecure = false
+
+# Specific CA bundle to use for validating SSL connections to
+# the image store. If not specified, CA available in the
+# ramdisk will be used. Is not used by default playbooks
+# included with the driver. Suitable for environments that use
+# self-signed certificates. (string value)
+#image_store_cafile = <None>
+
+# Client cert to use for SSL connections to image store. Is
+# not used by default playbooks included with the driver.
+# (string value)
+#image_store_certfile = <None>
+
+# Client key to use for SSL connections to image store. Is not
+# used by default playbooks included with the driver. (string
+# value)
+#image_store_keyfile = <None>
+
+# Name of the user to use for Ansible when connecting to the
+# ramdisk over SSH. It may be overridden by per-node
+# 'ansible_username' option in node's 'driver_info' field.
+# (string value)
+#default_username = ansible
+
+# Absolute path to the private SSH key file to use by Ansible
+# by default when connecting to the ramdisk over SSH. Default
+# is to use default SSH keys configured for the user running
+# the ironic-conductor service. Private keys with password
+# must be pre-loaded into 'ssh-agent'. It may be overridden by
+# per-node 'ansible_key_file' option in node's 'driver_info'
+# field. (string value)
+#default_key_file = <None>
+
+# Path (relative to $playbooks_path or absolute) to the
+# default playbook used for deployment. It may be overridden
+# by per-node 'ansible_deploy_playbook' option in node's
+# 'driver_info' field. (string value)
+#default_deploy_playbook = deploy.yaml
+
+# Path (relative to $playbooks_path or absolute) to the
+# default playbook used for graceful in-band shutdown of the
+# node. It may be overridden by per-node
+# 'ansible_shutdown_playbook' option in node's 'driver_info'
+# field. (string value)
+#default_shutdown_playbook = shutdown.yaml
+
+# Path (relative to $playbooks_path or absolute) to the
+# default playbook used for node cleaning. It may be
+# overridden by per-node 'ansible_clean_playbook' option in
+# node's 'driver_info' field. (string value)
+#default_clean_playbook = clean.yaml
+
+# Path (relative to $playbooks_path or absolute) to the
+# default auxiliary cleaning steps file used during the node
+# cleaning. It may be overridden by per-node
+# 'ansible_clean_steps_config' option in node's 'driver_info'
+# field. (string value)
+#default_clean_steps_config = clean_steps.yaml
+
+
+[api]
+
+#
+# From ironic
+#
+
+# The IP address on which ironic-api listens. (string value)
+{%- if api.get('bind', {}).get('address') %}
+host_ip = {{ api.bind.address }}
+{%- else %}
+#host_ip = 0.0.0.0
+{%- endif %}
+
+# The TCP port on which ironic-api listens. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+{%- if api.get('bind', {}).get('port') %}
+port = {{ api.bind.port }}
+{%- else %}
+#port = 6385
+{%- endif %}
+
+# The maximum number of items returned in a single response
+# from a collection resource. (integer value)
+#max_limit = 1000
+
+# Public URL to use when building the links to the API
+# resources (for example, "https://ironic.rocks:6384"). If
+# None the links will be built using the request's host URL.
+# If the API is operating behind a proxy, you will want to
+# change this to represent the proxy's URL. Defaults to None.
+# (string value)
+{%- if api.public_endpoint is defined %}
+public_endpoint = {{ api.public_endpoint }}
+{%- else %}
+#public_endpoint = <None>
+{%- endif %}
+
+# Number of workers for OpenStack Ironic API service. The
+# default is equal to the number of CPUs available if that can
+# be determined, else a default worker count of 1 is returned.
+# (integer value)
+#api_workers = <None>
+
+# Enable the integrated stand-alone API to service requests
+# via HTTPS instead of HTTP. If there is a front-end service
+# performing HTTPS offloading from the service, this option
+# should be False; note, you will want to change public API
+# endpoint to represent SSL termination URL with
+# 'public_endpoint' option. (boolean value)
+#enable_ssl_api = false
+
+# Whether to restrict the lookup API to only nodes in certain
+# states. (boolean value)
+#restrict_lookup = true
+
+# Maximum interval (in seconds) for agent heartbeats. (integer
+# value)
+# Deprecated group/name - [agent]/heartbeat_timeout
+#ramdisk_heartbeat_timeout = 300
+
+
+[audit]
+
+#
+# From ironic
+#
+
+# Enable auditing of API requests (for ironic-api service).
+# (boolean value)
+#enabled = false
+
+# Path to audit map file for ironic-api service. Used only
+# when API audit is enabled. (string value)
+#audit_map_file = /etc/ironic/api_audit_map.conf
+
+# Comma separated list of Ironic REST API HTTP methods to be
+# ignored during audit logging. For example: auditing will not
+# be done on any GET or POST requests if this is set to
+# "GET,POST". It is used only when API audit is enabled.
+# (string value)
+#ignore_req_list =
+
+
+[cimc]
+
+#
+# From ironic
+#
+
+# Number of times a power operation needs to be retried
+# (integer value)
+#max_retry = 6
+
+# Amount of time in seconds to wait in between power
+# operations (integer value)
+#action_interval = 10
+
+
+[cinder]
+
+#
+# From ironic
+#
+
+# Number of retries in the case of a failed action (currently
+# only used when detaching volumes). (integer value)
+#action_retries = 3
+action_retries = 3
+
+# Retry interval in seconds in the case of a failed action
+# (only specific actions are retried). (integer value)
+#action_retry_interval = 5
+
+# Authentication URL (string value)
+{%- if conductor.get('cinder', {}).get('auth_strategy') == 'keystone' %}
+auth_url = {{ conductor.identity.protocol }}://{{ conductor.identity.host }}:{{ conductor.identity.port }}
+{%- if conductor.identity.protocol == 'https' %}
+cafile={{ conductor.identity.get('cacert_file', conductor.cacert_file) }}
+{%- endif %}
+{%- else %}
+#auth_url = <None>
+{%- endif %}
+
+# Authentication type to load (string value)
+# Deprecated group/name - [cinder]/auth_plugin
+{%- if conductor.get('cinder', {}).get('auth_type') %}
+auth_type = {{ conductor.cinder.auth_type }}
+{%- else %}
+#auth_type = <None>
+{%- endif %}
+
+# PEM encoded Certificate Authority to use when verifying
+# HTTPs connections. (string value)
+#cafile = <None>
+
+# PEM encoded client certificate cert file (string value)
+#certfile = <None>
+
+# Collect per-API call timing information. (boolean value)
+#collect_timing = false
+
+# Optional domain ID to use with v3 and v2 parameters. It will
+# be used for both the user and project domain in v3 and
+# ignored in v2 authentication. (string value)
+#default_domain_id = <None>
+
+# Optional domain name to use with v3 API and v2 parameters.
+# It will be used for both the user and project domain in v3
+# and ignored in v2 authentication. (string value)
+#default_domain_name = <None>
+
+# Domain ID to scope to (string value)
+#domain_id = <None>
+
+# Domain name to scope to (string value)
+#domain_name = <None>
+
+# Always use this endpoint URL for requests for this client.
+# NOTE: The unversioned endpoint should be specified here; to
+# request a particular API version, use the `version`, `min-
+# version`, and/or `max-version` options. (string value)
+#endpoint_override = <None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+insecure = true
+
+# PEM encoded client certificate key file (string value)
+#keyfile = <None>
+
+# The maximum major version of a given API, intended to be
+# used as the upper bound of a range with min_version.
+# Mutually exclusive with version. (string value)
+#max_version = <None>
+
+# The minimum major version of a given API, intended to be
+# used as the lower bound of a range with max_version.
+# Mutually exclusive with version. If min_version is given
+# with no max_version it is as if max version is "latest".
+# (string value)
+#min_version = <None>
+
+# User's password (string value)
+#password = <None>
+{%- if conductor.get('cinder', {}).get('password') %}
+password = {{ conductor.cinder.password }}
+{%- else %}
+#password = <None>
+{%- endif %}
+
+# Domain ID containing project (string value)
+#project_domain_id = <None>
+{%- if conductor.get('cinder', {}).get('project_domain_id') %}
+project_domain_id = {{ conductor.cinder.project_domain_id }}
+{%- else %}
+#project_domain_id = <None>
+{%- endif %}
+
+# Domain name containing project (string value)
+#project_domain_name = <None>
+
+# Project ID to scope to (string value)
+# Deprecated group/name - [cinder]/tenant_id
+#project_id = <None>
+
+# Project name to scope to (string value)
+# Deprecated group/name - [cinder]/tenant_name
+#project_name = <None>
+{%- if conductor.get('cinder', {}).get('project_name') %}
+project_name = {{ conductor.cinder.project_name }}
+{%- else %}
+#project_name = <None>
+{%- endif %}
+
+# Client retries in the case of a failed request connection.
+# (integer value)
+#retries = 3
+
+# The default service_name for endpoint URL discovery. (string
+# value)
+#service_name = <None>
+
+# The default service_type for endpoint URL discovery. (string
+# value)
+#service_type = volumev3
+
+# Log requests to multiple loggers. (boolean value)
+#split_loggers = false
+
+# Scope for system operations (string value)
+#system_scope = <None>
+
+# Tenant ID (string value)
+#tenant_id = <None>
+
+# Tenant Name (string value)
+#tenant_name = <None>
+
+# Timeout value for http requests (integer value)
+#timeout = <None>
+
+# Trust ID (string value)
+#trust_id = <None>
+
+# DEPRECATED: URL for connecting to cinder. If set, the value
+# must start with either http:// or https://. (uri value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [cinder]/endpoint_override option to set a
+# specific cinder API URL to connect to.
+{%- if conductor.get('cinder', {}).get('url') %}
+url = {{ conductor.cinder.url }}
+{%- else %}
+#url = <None>
+{%- endif %}
+
+# User's domain id (string value)
+#user_domain_id = <None>
+user_domain_id = default
+
+# User's domain name (string value)
+{%- if conductor.get('cinder', {}).get('user_domain_name') %}
+user_domain_name = {{ conductor.cinder.user_domain_name }}
+{%- else %}
+#user_domain_name = <None>
+{%- endif %}
+
+# User id (string value)
+#user_id = <None>
+
+# Username (string value)
+# Deprecated group/name - [cinder]/user_name
+{%- if conductor.get('cinder', {}).get('username') %}
+username = {{ conductor.cinder.username }}
+{%- else %}
+#username = <None>
+{%- endif %}
+
+# List of interfaces, in order of preference, for endpoint
+# URL. (list value)
+#valid_interfaces = internal,public
+
+# Minimum Major API version within a given Major API version
+# for endpoint URL discovery. Mutually exclusive with
+# min_version and max_version (string value)
+#version = <None>
+
+
+[cisco_ucs]
+
+#
+# From ironic
+#
+
+# Number of times a power operation needs to be retried
+# (integer value)
+#max_retry = 6
+
+# Amount of time in seconds to wait in between power
+# operations (integer value)
+#action_interval = 5
+
+
+[conductor]
+
+#
+# From ironic
+#
+
+# The size of the workers greenthread pool. Note that 2
+# threads will be reserved by the conductor itself for
+# handling heart beats and periodic tasks. (integer value)
+# Minimum value: 3
+#workers_pool_size = 100
+
+# Seconds between conductor heart beats. (integer value)
+#heartbeat_interval = 10
+
+# DEPRECATED: URL of Ironic API service. If not set ironic can
+# get the current value from the keystone service catalog. If
+# set, the value must start with either http:// or https://.
+# (uri value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [service_catalog]endpoint_override option
+# instead if required to use a specific ironic api address,
+# for example in noauth mode.
+{%- if conductor.get('api_url') %}
+api_url = {{ conductor.api_url }}
+{%- else %}
+#api_url = <None>
+{%- endif %}
+
+# Maximum time (in seconds) since the last check-in of a
+# conductor. A conductor is considered inactive when this time
+# has been exceeded. (integer value)
+#heartbeat_timeout = 60
+
+# Interval between syncing the node power state to the
+# database, in seconds. Set to 0 to disable syncing. (integer
+# value)
+#sync_power_state_interval = 60
+
+# Interval between checks of provision timeouts, in seconds.
+# Set to 0 to disable checks. (integer value)
+# Minimum value: 0
+#check_provision_state_interval = 60
+
+# Interval (seconds) between checks of rescue timeouts.
+# (integer value)
+# Minimum value: 1
+#check_rescue_state_interval = 60
+
+# Timeout (seconds) to wait for a callback from a deploy
+# ramdisk. Set to 0 to disable timeout. (integer value)
+#deploy_callback_timeout = 1800
+
+# During sync_power_state, should the hardware power state be
+# set to the state recorded in the database (True) or should
+# the database be updated based on the hardware state (False).
+# (boolean value)
+#force_power_state_during_sync = true
+
+# During sync_power_state failures, limit the number of times
+# Ironic should try syncing the hardware node power state with
+# the node power state in DB (integer value)
+#power_state_sync_max_retries = 3
+
+# Maximum number of worker threads that can be started
+# simultaneously by a periodic task. Should be less than RPC
+# thread pool size. (integer value)
+#periodic_max_workers = 8
+
+# Number of attempts to grab a node lock. (integer value)
+#node_locked_retry_attempts = 3
+
+# Seconds to sleep between node lock attempts. (integer value)
+#node_locked_retry_interval = 1
+
+# Enable sending sensor data message via the notification bus
+# (boolean value)
+#send_sensor_data = false
+
+# Seconds between conductor sending sensor data message to
+# ceilometer via the notification bus. (integer value)
+# Minimum value: 1
+#send_sensor_data_interval = 600
+
+# The maximum number of workers that can be started
+# simultaneously for send data from sensors periodic task.
+# (integer value)
+# Minimum value: 1
+#send_sensor_data_workers = 4
+
+# The time in seconds to wait for send sensors data periodic
+# task to be finished before allowing periodic call to happen
+# again. Should be less than send_sensor_data_interval value.
+# (integer value)
+#send_sensor_data_wait_timeout = 300
+
+# List of comma separated meter types which need to be sent to
+# Ceilometer. The default value, "ALL", is a special value
+# meaning send all the sensor data. (list value)
+#send_sensor_data_types = ALL
+
+# When conductors join or leave the cluster, existing
+# conductors may need to update any persistent local state as
+# nodes are moved around the cluster. This option controls how
+# often, in seconds, each conductor will check for nodes that
+# it should "take over". Set it to 0 (or a negative value) to
+# disable the check entirely. (integer value)
+#sync_local_state_interval = 180
+
+# Name of the Swift container to store config drive data. Used
+# when configdrive_use_object_store is True. (string value)
+#configdrive_swift_container = ironic_configdrive_container
+
+# Timeout (seconds) for waiting for node inspection. 0 -
+# unlimited. (integer value)
+# Deprecated group/name - [conductor]/inspect_timeout
+#inspect_wait_timeout = 1800
+
+# Enables or disables automated cleaning. Automated cleaning
+# is a configurable set of steps, such as erasing disk drives,
+# that are performed on the node to ensure it is in a baseline
+# state and ready to be deployed to. This is done after
+# instance deletion as well as during the transition from a
+# "manageable" to "available" state. When enabled, the
+# particular steps performed to clean a node depend on which
+# driver that node is managed by; see the individual driver's
+# documentation for details. NOTE: The introduction of the
+# cleaning operation causes instance deletion to take
+# significantly longer. In an environment where all tenants
+# are trusted (eg, because there is only one tenant), this
+# option could be safely disabled. (boolean value)
+{%- if conductor.automated_clean is defined %}
+automated_clean = {{ conductor.automated_clean }}
+{%- else %}
+#automated_clean = true
+{%- endif %}
+
+# Timeout (seconds) to wait for a callback from the ramdisk
+# doing the cleaning. If the timeout is reached the node will
+# be put in the "clean failed" provision state. Set to 0 to
+# disable timeout. (integer value)
+#clean_callback_timeout = 1800
+
+# Timeout (seconds) to wait for a callback from the rescue
+# ramdisk. If the timeout is reached the node will be put in
+# the "rescue failed" provision state. Set to 0 to disable
+# timeout. (integer value)
+# Minimum value: 0
+#rescue_callback_timeout = 1800
+
+# Timeout (in seconds) of soft reboot and soft power off
+# operation. This value always has to be positive. (integer
+# value)
+# Minimum value: 1
+#soft_power_off_timeout = 600
+
+# Number of seconds to wait for power operations to complete,
+# i.e., so that a baremetal node is in the desired power
+# state. If timed out, the power operation is considered a
+# failure. (integer value)
+# Minimum value: 2
+#power_state_change_timeout = 30
+
+# Interval (in seconds) between checking the power state for
+# nodes previously put into maintenance mode due to power
+# synchronization failure. A node is automatically moved out
+# of maintenance mode once its power state is retrieved
+# successfully. Set to 0 to disable this check. (integer
+# value)
+# Minimum value: 0
+#power_failure_recovery_interval = 300
+
+# Name of the conductor group to join. Can be up to 255
+# characters and is case insensitive. This conductor will only
+# manage nodes with a matching "conductor_group" field set on
+# the node. (string value)
+#conductor_group =
+
+
+[console]
+
+#
+# From ironic
+#
+
+# Path to serial console terminal program. Used only by Shell
+# In A Box console. (string value)
+{%- if conductor.get('console', {}).terminal is defined %}
+terminal = {{ conductor.console.terminal }}
+{%- else %}
+#terminal = shellinaboxd
+{%- endif %}
+
+# Directory containing the terminal SSL cert (PEM) for serial
+# console access. Used only by Shell In A Box console. (string
+# value)
+{%- if conductor.get('console', {}).terminal_cert_dir is defined %}
+terminal_cert_dir = {{ conductor.console.terminal_cert_dir }}
+{%- else %}
+#terminal_cert_dir = <None>
+{%- endif %}
+
+# Directory for holding terminal pid files. If not specified,
+# the temporary directory will be used. (string value)
+{%- if conductor.get('console', {}).terminal_pid_dir is defined %}
+terminal_pid_dir = {{ conductor.console.terminal_pid_dir }}
+{%- else %}
+#terminal_pid_dir = <None>
+{%- endif %}
+
+# Timeout (in seconds) for the terminal session to be closed
+# on inactivity. Set to 0 to disable timeout. Used only by
+# Socat console. (integer value)
+# Minimum value: 0
+{%- if conductor.get('console', {}).terminal_timeout is defined %}
+terminal_timeout = {{ conductor.console.terminal_timeout }}
+{%- else %}
+#terminal_timeout = 600
+{%- endif %}
+
+# Time interval (in seconds) for checking the status of
+# console subprocess. (integer value)
+{%- if conductor.get('console', {}).subprocess_checking_interval is defined %}
+subprocess_checking_interval = {{ conductor.console.subprocess_checking_interval }}
+{%- else %}
+#subprocess_checking_interval = 1
+{%- endif %}
+
+# Time (in seconds) to wait for the console subprocess to
+# start. (integer value)
+{%- if conductor.get('console', {}).subprocess_timeout is defined %}
+subprocess_timeout = {{ conductor.console.subprocess_timeout }}
+{%- else %}
+#subprocess_timeout = 10
+{%- endif %}
+
+# IP address of Socat service running on the host of ironic
+# conductor. Used only by Socat console. (IP address value)
+{%- if conductor.get('console', {}).socat_address is defined %}
+socat_address = {{ conductor.console.socat_address }}
+{%- else %}
+#socat_address = $my_ip
+{%- endif %}
+
+
+[cors]
+{%- if ironic.cors is defined %}
+{%- set _data = ironic.cors %}
+{%- include "oslo_templates/files/rocky/oslo/_cors.conf" %}
+{%- endif %}
+
+
+[database]
+{%- set _data = ironic.database %}
+{%- if _data.ssl is defined and 'cacert_file' not in _data.get('ssl', {}).keys() %}{% do _data['ssl'].update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- include "oslo_templates/files/rocky/oslo/_database.conf" %}
+
+[deploy]
+
+#
+# From ironic
+#
+
+# ironic-conductor node's HTTP server URL. Example:
+# http://192.1.2.3:8080 (string value)
+{%- if conductor.get('http_url') %}
+http_url = {{ conductor.http_url }}
+{%- else %}
+#http_url = <None>
+{%- endif %}
+
+# ironic-conductor node's HTTP root path. (string value)
+{%- if conductor.get('http_root') %}
+http_root = {{ conductor.http_root }}
+{%- else %}
+#http_root = /httpboot
+{%- endif %}
+
+# Whether to support the use of ATA Secure Erase during the
+# cleaning process. Defaults to True. (boolean value)
+#enable_ata_secure_erase = true
+
+# Priority to run in-band erase devices via the Ironic Python
+# Agent ramdisk. If unset, will use the priority set in the
+# ramdisk (defaults to 10 for the GenericHardwareManager). If
+# set to 0, will not run during cleaning. (integer value)
+{%- if conductor.erase_devices_priority is defined %}
+erase_devices_priority = {{ conductor.erase_devices_priority }}
+{%- else %}
+#erase_devices_priority = <None>
+{%- endif %}
+
+# Priority to run in-band clean step that erases metadata from
+# devices, via the Ironic Python Agent ramdisk. If unset, will
+# use the priority set in the ramdisk (defaults to 99 for the
+# GenericHardwareManager). If set to 0, will not run during
+# cleaning. (integer value)
+{%- if conductor.erase_devices_metadata_priority is defined %}
+erase_devices_metadata_priority = {{ conductor.erase_devices_metadata_priority }}
+{%- else %}
+#erase_devices_metadata_priority = <None>
+{%- endif %}
+
+# During shred, overwrite all block devices N times with
+# random data. This is only used if a device could not be ATA
+# Secure Erased. Defaults to 1. (integer value)
+# Minimum value: 0
+#shred_random_overwrite_iterations = 1
+
+# Whether to write zeros to a node's block devices after
+# writing random data. This will write zeros to the device
+# even when deploy.shred_random_overwrite_iterations is 0.
+# This option is only used if a device could not be ATA Secure
+# Erased. Defaults to True. (boolean value)
+#shred_final_overwrite_with_zeros = true
+
+# Defines what to do if an ATA secure erase operation fails
+# during cleaning in the Ironic Python Agent. If False, the
+# cleaning operation will fail and the node will be put in
+# ``clean failed`` state. If True, shred will be invoked and
+# cleaning will continue. (boolean value)
+#continue_if_disk_secure_erase_fails = false
+
+# Whether to power off a node after deploy failure. Defaults
+# to True. (boolean value)
+#power_off_after_deploy_failure = true
+
+# Default boot option to use when no boot option is requested
+# in node's driver_info. Currently the default is "netboot",
+# but it will be changed to "local" in the future. It is
+# recommended to set an explicit value for this option.
+# (string value)
+# Possible values:
+# netboot - boot from a network
+# local - local boot
+{%- if conductor.default_boot_option is defined %}
+default_boot_option = {{ conductor.default_boot_option }}
+{%- else %}
+#default_boot_option = <None>
+{%- endif %}
+
+# Default boot mode to use when no boot mode is requested in
+# node's driver_info, capabilities or in the `instance_info`
+# configuration. Currently the default boot mode is "bios".
+# This option only has effect when management interface
+# supports boot mode management (string value)
+# Possible values:
+# uefi - UEFI boot mode
+# bios - Legacy BIOS boot mode
+#default_boot_mode = bios
+
+# Whether to upload the config drive to object store. Set this
+# option to True to store config drive in a swift endpoint.
+# (boolean value)
+# Deprecated group/name - [conductor]/configdrive_use_swift
+#configdrive_use_object_store = false
+
+
+[dhcp]
+
+#
+# From ironic
+#
+
+# DHCP provider to use. "neutron" uses Neutron, and "none"
+# uses a no-op provider. (string value)
+{%- if conductor.get('dhcp', {}).get('provider') %}
+dhcp_provider = {{ conductor.dhcp.provider }}
+{%- else %}
+#dhcp_provider = neutron
+{%- endif %}
+
+
+[disk_partitioner]
+
+#
+# From ironic_lib.disk_partitioner
+#
+
+# After Ironic has completed creating the partition table, it
+# continues to check for activity on the attached iSCSI device
+# status at this interval prior to copying the image to the
+# node, in seconds (integer value)
+#check_device_interval = 1
+
+# The maximum number of times to check that the device is not
+# accessed by another process. If the device is still busy
+# after that, the disk partitioning will be treated as having
+# failed. (integer value)
+#check_device_max_retries = 20
+
+
+[disk_utils]
+
+#
+# From ironic_lib.disk_utils
+#
+
+# Size of EFI system partition in MiB when configuring UEFI
+# systems for local boot. (integer value)
+{%- if ironic.uefi.efi_system_partition_size is defined %}
+efi_system_partition_size = {{ ironic.uefi.efi_system_partition_size }}
+{%- else %}
+#efi_system_partition_size = 200
+{%- endif %}
+
+# Size of BIOS Boot partition in MiB when configuring GPT
+# partitioned systems for local boot in BIOS. (integer value)
+#bios_boot_partition_size = 1
+
+# Block size to use when writing to the nodes disk. (string
+# value)
+#dd_block_size = 1M
+
+# Maximum attempts to verify an iSCSI connection is active,
+# sleeping 1 second between attempts. (integer value)
+#iscsi_verify_attempts = 3
+
+# Maximum number of attempts to try to read the partition.
+# (integer value)
+#partprobe_attempts = 10
+
+
+[drac]
+
+#
+# From ironic
+#
+
+# Interval (in seconds) between periodic RAID job status
+# checks to determine whether the asynchronous RAID
+# configuration was successfully finished or not. (integer
+# value)
+# Minimum value: 1
+#query_raid_config_job_status_interval = 120
+
+
+[glance]
+
+#
+# From ironic
+#
+
+# A list of URL schemes that can be downloaded directly via
+# the direct_url.  Currently supported schemes: [file]. (list
+# value)
+#allowed_direct_url_schemes =
+
+{%- set _data = ironic.get('glance', ironic.get('identity', {})) %}
+{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- include "oslo_templates/files/rocky/keystoneauth/_type_" + auth_type + ".conf" %}
+
+# DEPRECATED: Authentication strategy to use when connecting
+# to glance. (string value)
+# Possible values:
+# keystone - use the Identity service for authentication
+# noauth - no authentication
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: To configure glance in noauth mode, set
+# [glance]/auth_type=none and
+# [glance]/endpoint_override=<GLANCE_API_ADDRESS> instead.
+{%- if conductor.get('glance', {}).get('auth_strategy') %}
+auth_strategy = {{ conductor.glance.auth_strategy }}
+{%- else %}
+#auth_strategy = keystone
+{%- endif %}
+
+# Authentication type to load (string value)
+# Deprecated group/name - [glance]/auth_plugin
+#auth_type = <None>
+
+# PEM encoded Certificate Authority to use when verifying
+# HTTPs connections. (string value)
+#cafile = <None>
+
+# PEM encoded client certificate cert file (string value)
+#certfile = <None>
+
+# Collect per-API call timing information. (boolean value)
+#collect_timing = false
+
+# Optional domain ID to use with v3 and v2 parameters. It will
+# be used for both the user and project domain in v3 and
+# ignored in v2 authentication. (string value)
+#default_domain_id = <None>
+
+# Optional domain name to use with v3 API and v2 parameters.
+# It will be used for both the user and project domain in v3
+# and ignored in v2 authentication. (string value)
+#default_domain_name = <None>
+
+# Domain ID to scope to (string value)
+#domain_id = <None>
+
+# Domain name to scope to (string value)
+#domain_name = <None>
+
+# Always use this endpoint URL for requests for this client.
+# NOTE: The unversioned endpoint should be specified here; to
+# request a particular API version, use the `version`, `min-
+# version`, and/or `max-version` options. (string value)
+#endpoint_override = <None>
+
+# DEPRECATED: Allow to perform insecure SSL (https) requests
+# to glance. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [glance]/insecure option instead.
+#glance_api_insecure = false
+
+# DEPRECATED: A list of the glance api servers available to
+# ironic. Prefix with https:// for SSL-based glance API
+# servers. Format is [hostname|IP]:port. (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [glance]/endpoint_override option to set the
+# full load-balanced glance API URL instead.
+#glance_api_servers = <None>
+
+# DEPRECATED: Glance API version (1 or 2) to use. (integer
+# value)
+# Minimum value: 1
+# Maximum value: 2
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Ironic will only support using Glance API version 2
+# in the Queens release.
+#glance_api_version = 2
+
+# DEPRECATED: Optional path to a CA certificate bundle to be
+# used to validate the SSL certificate served by glance. It is
+# used when glance_api_insecure is set to False. (string
+# value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [glance]/cafile option instead.
+#glance_cafile = <None>
+
+# Number of retries when downloading an image from glance.
+# (integer value)
+#glance_num_retries = 0
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# PEM encoded client certificate key file (string value)
+#keyfile = <None>
+
+# The maximum major version of a given API, intended to be
+# used as the upper bound of a range with min_version.
+# Mutually exclusive with version. (string value)
+#max_version = <None>
+
+# The minimum major version of a given API, intended to be
+# used as the lower bound of a range with max_version.
+# Mutually exclusive with version. If min_version is given
+# with no max_version it is as if max version is "latest".
+# (string value)
+#min_version = <None>
+
+# User's password (string value)
+#password = <None>
+
+# Domain ID containing project (string value)
+#project_domain_id = <None>
+
+# Domain name containing project (string value)
+#project_domain_name = <None>
+
+# Project ID to scope to (string value)
+# Deprecated group/name - [glance]/tenant_id
+#project_id = <None>
+
+# Project name to scope to (string value)
+# Deprecated group/name - [glance]/tenant_name
+#project_name = <None>
+
+# The default region_name for endpoint URL discovery. (string
+# value)
+#region_name = <None>
+
+# The default service_name for endpoint URL discovery. (string
+# value)
+#service_name = <None>
+
+# The default service_type for endpoint URL discovery. (string
+# value)
+#service_type = image
+
+# Log requests to multiple loggers. (boolean value)
+#split_loggers = false
+
+# The account that Glance uses to communicate with Swift. The
+# format is "AUTH_uuid". "uuid" is the UUID for the account
+# configured in the glance-api.conf. For example:
+# "AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30". If not set, the
+# default value is calculated based on the ID of the project
+# used to access Swift (as set in the [swift] section). Swift
+# temporary URL format:
+# "endpoint_url/api_version/account/container/object_id"
+# (string value)
+#swift_account = <None>
+
+# The Swift API version to create a temporary URL for.
+# Defaults to "v1". Swift temporary URL format:
+# "endpoint_url/api_version/account/container/object_id"
+# (string value)
+#swift_api_version = v1
+
+# The Swift container Glance is configured to store its images
+# in. Defaults to "glance", which is the default in glance-
+# api.conf. Swift temporary URL format:
+# "endpoint_url/api_version/account/container/object_id"
+# (string value)
+#swift_container = glance
+
+# The "endpoint" (scheme, hostname, optional port) for the
+# Swift URL of the form
+# "endpoint_url/api_version/account/container/object_id". Do
+# not include trailing "/". For example, use
+# "https://swift.example.com". If using RADOS Gateway,
+# endpoint may also contain /swift path; if it does not, it
+# will be appended. Used for temporary URLs, will be fetched
+# from the service catalog, if not provided. (string value)
+#swift_endpoint_url = <None>
+
+# This should match a config by the same name in the Glance
+# configuration file. When set to 0, a single-tenant store
+# will only use one container to store all images. When set to
+# an integer value between 1 and 32, a single-tenant store
+# will use multiple containers to store images, and this value
+# will determine how many containers are created. (integer
+# value)
+#swift_store_multiple_containers_seed = 0
+
+# Whether to cache generated Swift temporary URLs. Setting it
+# to true is only useful when an image caching proxy is used.
+# Defaults to False. (boolean value)
+#swift_temp_url_cache_enabled = false
+
+# The length of time in seconds that the temporary URL will be
+# valid for. Defaults to 20 minutes. If some deploys get a 401
+# response code when trying to download from the temporary
+# URL, try raising this duration. This value must be greater
+# than or equal to the value for
+# swift_temp_url_expected_download_start_delay (integer value)
+#swift_temp_url_duration = 1200
+
+# This is the delay (in seconds) from the time of the deploy
+# request (when the Swift temporary URL is generated) to when
+# the IPA ramdisk starts up and URL is used for the image
+# download. This value is used to check if the Swift temporary
+# URL duration is large enough to let the image download
+# begin. Also if temporary URL caching is enabled this will
+# determine if a cached entry will still be valid when the
+# download starts. swift_temp_url_duration value must be
+# greater than or equal to this option's value. Defaults to 0.
+# (integer value)
+# Minimum value: 0
+#swift_temp_url_expected_download_start_delay = 0
+
+# The secret token given to Swift to allow temporary URL
+# downloads. Required for temporary URLs. For the Swift
+# backend, the key on the service project (as set in the
+# [swift] section) is used by default. (string value)
+{%- if conductor.get('glance', {}).get('swift_temp_url_key') %}
+swift_temp_url_key = {{ conductor.glance.swift_temp_url_key }}
+{%- else %}
+#swift_temp_url_key = <None>
+{%- endif %}
+
+# Scope for system operations (string value)
+#system_scope = <None>
+
+# Tenant ID (string value)
+#tenant_id = <None>
+
+# Tenant Name (string value)
+#tenant_name = <None>
+
+# Timeout value for http requests (integer value)
+#timeout = <None>
+
+# Trust ID (string value)
+#trust_id = <None>
+
+# User's domain id (string value)
+#user_domain_id = <None>
+
+# User's domain name (string value)
+{%- if conductor.get('glance', {}).get('user_domain_name') %}
+user_domain_name = {{ conductor.glance.user_domain_name }}
+{%- else %}
+#user_domain_name = <None>
+{%- endif %}
+
+# User id (string value)
+#user_id = <None>
+
+# Username (string value)
+# Deprecated group/name - [glance]/user_name
+{%- if conductor.get('glance', {}).get('username') %}
+username = {{ conductor.glance.username }}
+{%- else %}
+#username = <None>
+{%- endif %}
+
+# List of interfaces, in order of preference, for endpoint
+# URL. (list value)
+#valid_interfaces = internal,public
+
+# Minimum Major API version within a given Major API version
+# for endpoint URL discovery. Mutually exclusive with
+# min_version and max_version (string value)
+#version = <None>
+
+
+[healthcheck]
+
+#
+# From ironic
+#
+
+# Enable the health check endpoint at /healthcheck. Note that
+# this is unauthenticated. More information is available at
+# https://docs.openstack.org/oslo.middleware/latest/reference/healthcheck_plugins.html.
+# (boolean value)
+#enabled = false
+
+#
+# From oslo.middleware.healthcheck
+#
+
+# DEPRECATED: The path to respond to healtcheck requests on.
+# (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#path = /healthcheck
+
+# Show more detailed information as part of the response
+# (boolean value)
+#detailed = false
+
+# Additional backends that can perform health checks and
+# report that information back as part of a request. (list
+# value)
+#backends =
+
+# Check the presence of a file to determine if an application
+# is running on a port. Used by DisableByFileHealthcheck
+# plugin. (string value)
+#disable_by_file_path = <None>
+
+# Check the presence of a file based on a port to determine if
+# an application is running on a port. Expects a "port:path"
+# list of strings. Used by DisableByFilesPortsHealthcheck
+# plugin. (list value)
+#disable_by_file_paths =
+
+
+[ilo]
+
+#
+# From ironic
+#
+
+# Timeout (in seconds) for iLO operations (integer value)
+{%- if conductor.get('ilo', {}).get('client_timeout') %}
+client_timeout = {{ conductor.ilo.client_timeout }}
+{%- else %}
+#client_timeout = 60
+{%- endif %}
+
+# Port to be used for iLO operations (port value)
+# Minimum value: 0
+# Maximum value: 65535
+{%- if conductor.get('ilo', {}).get('client_port') %}
+client_port = {{ conductor.ilo.client_port }}
+{%- else %}
+#client_port = 443
+{%- endif %}
+
+
+# The Swift iLO container to store data. (string value)
+{%- if conductor.get('ilo', {}).get('swift_ilo_container') %}
+swift_ilo_container = {{ conductor.ilo.swift_ilo_container }}
+{%- else %}
+#swift_ilo_container = ironic_ilo_container
+{%- endif %}
+
+# Amount of time in seconds for Swift objects to auto-expire.
+# (integer value)
+{%- if conductor.get('ilo', {}).get('swift_object_expiry_timeout') %}
+swift_object_expiry_timeout = {{ conductor.ilo.swift_object_expiry_timeout }}
+{%- else %}
+#swift_object_expiry_timeout = 900
+{%- endif %}
+
+# Set this to True to use http web server to host floppy
+# images and generated boot ISO. This requires http_root and
+# http_url to be configured in the [deploy] section of the
+# config file. If this is set to False, then Ironic will use
+# Swift to host the floppy images and generated boot_iso.
+# (boolean value)
+{%- if conductor.get('ilo', {}).get('use_web_server_for_images') %}
+use_web_server_for_images = {{ conductor.ilo.use_web_server_for_images }}
+{%- else %}
+#use_web_server_for_images = false
+{%- endif %}
+
+# Priority for reset_ilo clean step. (integer value)
+{%- if conductor.get('ilo', {}).get('clean_priority_reset_ilo') %}
+clean_priority_reset_ilo = {{ conductor.ilo.clean_priority_reset_ilo }}
+{%- else %}
+#clean_priority_reset_ilo = 0
+{%- endif %}
+
+
+# Priority for reset_bios_to_default clean step. (integer
+# value)
+#clean_priority_reset_bios_to_default = 10
+{%- if conductor.get('ilo', {}).get('clean_priority_reset_bios_to_default') %}
+clean_priority_reset_bios_to_default = {{ conductor.ilo.clean_priority_reset_bios_to_default }}
+{%- else %}
+#clean_priority_reset_bios_to_default = 10
+{%- endif %}
+
+# Priority for reset_secure_boot_keys clean step. This step
+# will reset the secure boot keys to manufacturing defaults.
+# (integer value)
+{%- if conductor.get('ilo', {}).get('clean_priority_reset_secure_boot_keys_to_default') %}
+clean_priority_reset_secure_boot_keys_to_default = {{ conductor.ilo.clean_priority_reset_secure_boot_keys_to_default }}
+{%- else %}
+#clean_priority_reset_secure_boot_keys_to_default = 20
+{%- endif %}
+
+# Priority for clear_secure_boot_keys clean step. This step is
+# not enabled by default. It can be enabled to clear all
+# secure boot keys enrolled with iLO. (integer value)
+{%- if conductor.get('ilo', {}).get('clean_priority_clear_secure_boot_keys') %}
+clean_priority_clear_secure_boot_keys = {{ conductor.ilo.clean_priority_clear_secure_boot_keys }}
+{%- else %}
+#clean_priority_clear_secure_boot_keys = 0
+{%- endif %}
+
+# Priority for reset_ilo_credential clean step. This step
+# requires "ilo_change_password" parameter to be updated in
+# nodes's driver_info with the new password. (integer value)
+{%- if conductor.get('ilo', {}).get('clean_priority_reset_ilo_credential') %}
+clean_priority_reset_ilo_credential = {{ conductor.ilo.clean_priority_reset_ilo_credential }}
+{%- else %}
+#clean_priority_reset_ilo_credential = 30
+{%- endif %}
+
+# Number of times a power operation needs to be retried
+# (integer value)
+{%- if conductor.get('ilo', {}).get('power_retry') %}
+power_retry = {{ conductor.ilo.power_retry }}
+{%- else %}
+#power_retry = 6
+{%- endif %}
+
+# Amount of time in seconds to wait in between power
+# operations (integer value)
+{%- if conductor.get('ilo', {}).get('power_wait') %}
+power_wait = {{ conductor.ilo.power_wait }}
+{%- else %}
+#power_wait = 2
+{%- endif %}
+
+# CA certificate file to validate iLO. (string value)
+{%- if conductor.get('ilo', {}).get('ca_file') %}
+ca_file = {{ conductor.ilo.ca_file }}
+{%- else %}
+#ca_file = <None>
+{%- endif %}
+
+# Default boot mode to be used in provisioning when
+# "boot_mode" capability is not provided in the
+# "properties/capabilities" of the node. The default is "auto"
+# for backward compatibility. When "auto" is specified,
+# default boot mode will be selected based on boot mode
+# settings on the system. (string value)
+# Possible values:
+# auto - based on boot mode settings on the system
+# bios - BIOS boot mode
+# uefi - UEFI boot mode
+{%- if conductor.get('ilo', {}).get('default_boot_mode') %}
+default_boot_mode = {{ conductor.ilo.default_boot_mode }}
+{%- else %}
+#default_boot_mode = auto
+{%- endif %}
+
+
+[inspector]
+
+#
+# From ironic
+#
+
+# Authentication URL (string value)
+#auth_url = <None>
+
+# Authentication type to load (string value)
+# Deprecated group/name - [inspector]/auth_plugin
+#auth_type = <None>
+
+# PEM encoded Certificate Authority to use when verifying
+# HTTPs connections. (string value)
+#cafile = <None>
+
+# PEM encoded client certificate cert file (string value)
+#certfile = <None>
+
+# Collect per-API call timing information. (boolean value)
+#collect_timing = false
+
+# Optional domain ID to use with v3 and v2 parameters. It will
+# be used for both the user and project domain in v3 and
+# ignored in v2 authentication. (string value)
+#default_domain_id = <None>
+
+# Optional domain name to use with v3 API and v2 parameters.
+# It will be used for both the user and project domain in v3
+# and ignored in v2 authentication. (string value)
+#default_domain_name = <None>
+
+# Domain ID to scope to (string value)
+#domain_id = <None>
+
+# Domain name to scope to (string value)
+#domain_name = <None>
+
+# DEPRECATED: This option has no affect since the classic
+# drivers removal. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#enabled = false
+
+# Always use this endpoint URL for requests for this client.
+# NOTE: The unversioned endpoint should be specified here; to
+# request a particular API version, use the `version`, `min-
+# version`, and/or `max-version` options. (string value)
+#endpoint_override = <None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# PEM encoded client certificate key file (string value)
+#keyfile = <None>
+
+# The maximum major version of a given API, intended to be
+# used as the upper bound of a range with min_version.
+# Mutually exclusive with version. (string value)
+#max_version = <None>
+
+# The minimum major version of a given API, intended to be
+# used as the lower bound of a range with max_version.
+# Mutually exclusive with version. If min_version is given
+# with no max_version it is as if max version is "latest".
+# (string value)
+#min_version = <None>
+
+# User's password (string value)
+#password = <None>
+
+# Domain ID containing project (string value)
+#project_domain_id = <None>
+
+# Domain name containing project (string value)
+#project_domain_name = <None>
+
+# Project ID to scope to (string value)
+# Deprecated group/name - [inspector]/tenant_id
+#project_id = <None>
+
+# Project name to scope to (string value)
+# Deprecated group/name - [inspector]/tenant_name
+#project_name = <None>
+
+# The default region_name for endpoint URL discovery. (string
+# value)
+#region_name = <None>
+
+# The default service_name for endpoint URL discovery. (string
+# value)
+#service_name = <None>
+
+# The default service_type for endpoint URL discovery. (string
+# value)
+#service_type = baremetal-introspection
+
+# DEPRECATED: ironic-inspector HTTP endpoint. If this is not
+# set, the service catalog will be used. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [inspector]/endpoint_override option instead to
+# set a specific ironic-inspector API URL to connect to.
+#service_url = <None>
+
+# Log requests to multiple loggers. (boolean value)
+#split_loggers = false
+
+# period (in seconds) to check status of nodes on inspection
+# (integer value)
+#status_check_period = 60
+
+# Scope for system operations (string value)
+#system_scope = <None>
+
+# Tenant ID (string value)
+#tenant_id = <None>
+
+# Tenant Name (string value)
+#tenant_name = <None>
+
+# Timeout value for http requests (integer value)
+#timeout = <None>
+
+# Trust ID (string value)
+#trust_id = <None>
+
+# User's domain id (string value)
+#user_domain_id = <None>
+
+# User's domain name (string value)
+#user_domain_name = <None>
+
+# User id (string value)
+#user_id = <None>
+
+# Username (string value)
+# Deprecated group/name - [inspector]/user_name
+#username = <None>
+
+# List of interfaces, in order of preference, for endpoint
+# URL. (list value)
+#valid_interfaces = internal,public
+
+# Minimum Major API version within a given Major API version
+# for endpoint URL discovery. Mutually exclusive with
+# min_version and max_version (string value)
+#version = <None>
+
+[ipmi]
+
+#
+# From ironic
+#
+
+# Maximum time in seconds to retry retryable IPMI operations.
+# (An operation is retryable, for example, if the requested
+# operation fails because the BMC is busy.) Setting this too
+# high can cause the sync power state periodic task to hang
+# when there are slow or unresponsive BMCs. (integer value)
+#command_retry_timeout = 60
+
+# Minimum time, in seconds, between IPMI operations sent to a
+# server. There is a risk with some hardware that setting this
+# too low may cause the BMC to crash. Recommended setting is 5
+# seconds. (integer value)
+#min_command_interval = 5
+
+
+[irmc]
+
+#
+# From ironic
+#
+
+# Ironic conductor node's "NFS" or "CIFS" root path (string
+# value)
+#remote_image_share_root = /remote_image_share_root
+
+# IP of remote image server (string value)
+#remote_image_server = <None>
+
+# Share type of virtual media (string value)
+# Possible values:
+# CIFS - CIFS (Common Internet File System) protocol
+# NFS - NFS (Network File System) protocol
+#remote_image_share_type = CIFS
+
+# share name of remote_image_server (string value)
+#remote_image_share_name = share
+
+# User name of remote_image_server (string value)
+#remote_image_user_name = <None>
+
+# Password of remote_image_user_name (string value)
+#remote_image_user_password = <None>
+
+# Domain name of remote_image_user_name (string value)
+#remote_image_user_domain =
+
+# Port to be used for iRMC operations (port value)
+# Minimum value: 0
+# Maximum value: 65535
+# Possible values:
+# 443 - port 443
+# 80 - port 80
+#port = 443
+
+# Authentication method to be used for iRMC operations (string
+# value)
+# Possible values:
+# basic - Basic authentication
+# digest - Digest authentication
+#auth_method = basic
+
+# Timeout (in seconds) for iRMC operations (integer value)
+#client_timeout = 60
+
+# Sensor data retrieval method. (string value)
+# Possible values:
+# ipmitool - IPMItool
+# scci - Fujitsu SCCI (ServerView Common Command Interface)
+#sensor_method = ipmitool
+
+# SNMP protocol version (string value)
+# Possible values:
+# v1 - SNMPv1
+# v2c - SNMPv2c
+# v3 - SNMPv3
+#snmp_version = v2c
+
+# SNMP port (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#snmp_port = 161
+
+# SNMP community. Required for versions "v1" and "v2c" (string
+# value)
+#snmp_community = public
+
+# SNMP security name. Required for version "v3" (string value)
+#snmp_security = <None>
+
+# SNMP polling interval in seconds (integer value)
+#snmp_polling_interval = 10
+
+# Priority for restore_irmc_bios_config clean step. (integer
+# value)
+#clean_priority_restore_irmc_bios_config = 0
+
+# List of vendor IDs and device IDs for GPU device to inspect.
+# List items are in format vendorID/deviceID and separated by
+# commas. GPU inspection will use this value to count the
+# number of GPU device in a node. If this option is not
+# defined, then leave out pci_gpu_devices in capabilities
+# property. Sample gpu_ids value: 0x1000/0x0079,0x2100/0x0080
+# (list value)
+#gpu_ids =
+
+# List of vendor IDs and device IDs for CPU FPGA to inspect.
+# List items are in format vendorID/deviceID and separated by
+# commas. CPU inspection will use this value to find existence
+# of CPU FPGA in a node. If this option is not defined, then
+# leave out CUSTOM_CPU_FPGA in node traits. Sample fpga_ids
+# value: 0x1000/0x0079,0x2100/0x0080 (list value)
+#fpga_ids =
+
+# Interval (in seconds) between periodic RAID status checks to
+# determine whether the asynchronous RAID configuration was
+# successfully finished or not. Foreground Initialization
+# (FGI) will start 5 minutes after creating virtual drives.
+# (integer value)
+# Minimum value: 1
+#query_raid_config_fgi_status_interval = 300
+
+
+[ironic_lib]
+
+#
+# From ironic_lib.utils
+#
+
+# Command that is prefixed to commands that are run as root.
+# If not specified, no commands are run as root. (string
+# value)
+#root_helper = sudo ironic-rootwrap /etc/ironic/rootwrap.conf
+
+
+[iscsi]
+
+#
+# From ironic
+#
+
+# The port number on which the iSCSI portal listens for
+# incoming connections. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#portal_port = 3260
+
+
+[keystone]
+
+#
+# From ironic
+#
+
+# The region used for getting endpoints of OpenStack services.
+# (string value)
+{%- if ironic.get('identity', {}).get('region') %}
+region_name = {{ ironic.identity.region }}
+{%- else %}
+#region_name = <None>
+{%- endif %}
+
+# DEPRECATED: Directory used to cache files related to PKI
+# tokens. This option has been deprecated in the Ocata release
+# and will be removed in the P release. (string value)
+# This option is deprecated for removal since Ocata.
+# Its value may be silently ignored in the future.
+# Reason: PKI token format is no longer supported.
+#signing_dir = <None>
+
+[keystone_authtoken]
+{%- set _data = ironic.get('identity', {}) %}
+{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- include "oslo_templates/files/rocky/keystoneauth/_type_" + auth_type + ".conf" %}
+
+[matchmaker_redis]
+
+#
+# From oslo.messaging
+#
+
+# DEPRECATED: Host to locate redis. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#host = 127.0.0.1
+
+# DEPRECATED: Use this port to connect to redis host. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#port = 6379
+
+# DEPRECATED: Password for Redis server (optional). (string
+# value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#password =
+
+# DEPRECATED: List of Redis Sentinel hosts (fault tolerance
+# mode), e.g., [host:port, host1:port ... ] (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Replaced by [DEFAULT]/transport_url
+#sentinel_hosts =
+
+# Redis replica set name. (string value)
+#sentinel_group_name = oslo-messaging-zeromq
+
+# Time in ms to wait between connection attempts. (integer
+# value)
+#wait_timeout = 2000
+
+# Time in ms to wait before the transaction is killed.
+# (integer value)
+#check_timeout = 20000
+
+# Timeout in ms on blocking socket operations. (integer value)
+#socket_timeout = 10000
+
+
+[metrics]
+
+#
+# From ironic
+#
+
+# Backend for the agent ramdisk to use for metrics. Default
+# possible backends are "noop" and "statsd". (string value)
+#agent_backend = noop
+
+# Prepend the hostname to all metric names sent by the agent
+# ramdisk. The format of metric names is
+# [global_prefix.][uuid.][host_name.]prefix.metric_name.
+# (boolean value)
+#agent_prepend_host = false
+
+# Prepend the node's Ironic uuid to all metric names sent by
+# the agent ramdisk. The format of metric names is
+# [global_prefix.][uuid.][host_name.]prefix.metric_name.
+# (boolean value)
+#agent_prepend_uuid = false
+
+# Split the prepended host value by "." and reverse it for
+# metrics sent by the agent ramdisk (to better match the
+# reverse hierarchical form of domain names). (boolean value)
+#agent_prepend_host_reverse = true
+
+# Prefix all metric names sent by the agent ramdisk with this
+# value. The format of metric names is
+# [global_prefix.][uuid.][host_name.]prefix.metric_name.
+# (string value)
+#agent_global_prefix = <None>
+
+#
+# From ironic_lib.metrics
+#
+
+# Backend to use for the metrics system. (string value)
+# Possible values:
+# noop - <No description provided>
+# statsd - <No description provided>
+#backend = noop
+
+# Prepend the hostname to all metric names. The format of
+# metric names is
+# [global_prefix.][host_name.]prefix.metric_name. (boolean
+# value)
+#prepend_host = false
+
+# Split the prepended host value by "." and reverse it (to
+# better match the reverse hierarchical form of domain names).
+# (boolean value)
+#prepend_host_reverse = true
+
+# Prefix all metric names with this value. By default, there
+# is no global prefix. The format of metric names is
+# [global_prefix.][host_name.]prefix.metric_name. (string
+# value)
+#global_prefix = <None>
+
+
+[metrics_statsd]
+
+#
+# From ironic
+#
+
+# Host for the agent ramdisk to use with the statsd backend.
+# This must be accessible from networks the agent is booted
+# on. (string value)
+#agent_statsd_host = localhost
+
+# Port for the agent ramdisk to use with the statsd backend.
+# (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#agent_statsd_port = 8125
+
+#
+# From ironic_lib.metrics_statsd
+#
+
+# Host for use with the statsd backend. (string value)
+#statsd_host = localhost
+
+# Port to use with the statsd backend. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#statsd_port = 8125
+
+
+[neutron]
+{%- set _data = ironic.get('neutron', ironic.get('identity', {})) %}
+{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- include "oslo_templates/files/rocky/keystoneauth/_type_" + auth_type + ".conf" %}
+
+#
+# From ironic
+#
+
+# Authentication URL (string value)
+#auth_url = <None>
+
+# DEPRECATED: Authentication strategy to use when connecting
+# to neutron. Running neutron in noauth mode (related to but
+# not affected by this setting) is insecure and should only be
+# used for testing. (string value)
+# Possible values:
+# keystone - use the Identity service for authentication
+# noauth - no authentication
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: To configure neutron for noauth mode, set
+# [neutron]/auth_type = none and
+# [neutron]/endpoint_override=<NEUTRON_API_URL> instead
+#auth_strategy = keystone
+
+# Authentication type to load (string value)
+# Deprecated group/name - [neutron]/auth_plugin
+#auth_type = <None>
+
+# PEM encoded Certificate Authority to use when verifying
+# HTTPs connections. (string value)
+#cafile = <None>
+
+# PEM encoded client certificate cert file (string value)
+#certfile = <None>
+
+# Neutron network UUID or name for the ramdisk to be booted
+# into for cleaning nodes. Required for "neutron" network
+# interface. It is also required if cleaning nodes when using
+# "flat" network interface or "neutron" DHCP provider. If a
+# name is provided, it must be unique among all networks or
+# cleaning will fail. (string value)
+# Deprecated group/name - [neutron]/cleaning_network_uuid
+{%- if conductor.get('neutron', {}).get('cleaning_network') %}
+cleaning_network = {{ conductor.neutron.cleaning_network }}
+{%- else %}
+#cleaning_network = <None>
+{%- endif %}
+
+# List of Neutron Security Group UUIDs to be applied during
+# cleaning of the nodes. Optional for the "neutron" network
+# interface and not used for the "flat" or "noop" network
+# interfaces. If not specified, default security group is
+# used. (list value)
+#cleaning_network_security_groups =
+
+# Collect per-API call timing information. (boolean value)
+#collect_timing = false
+
+# Optional domain ID to use with v3 and v2 parameters. It will
+# be used for both the user and project domain in v3 and
+# ignored in v2 authentication. (string value)
+#default_domain_id = <None>
+
+# Optional domain name to use with v3 API and v2 parameters.
+# It will be used for both the user and project domain in v3
+# and ignored in v2 authentication. (string value)
+#default_domain_name = <None>
+
+# Domain ID to scope to (string value)
+#domain_id = <None>
+
+# Domain name to scope to (string value)
+#domain_name = <None>
+
+# Always use this endpoint URL for requests for this client.
+# NOTE: The unversioned endpoint should be specified here; to
+# request a particular API version, use the `version`, `min-
+# version`, and/or `max-version` options. (string value)
+#endpoint_override = <None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# PEM encoded client certificate key file (string value)
+#keyfile = <None>
+
+# The maximum major version of a given API, intended to be
+# used as the upper bound of a range with min_version.
+# Mutually exclusive with version. (string value)
+#max_version = <None>
+
+# The minimum major version of a given API, intended to be
+# used as the lower bound of a range with max_version.
+# Mutually exclusive with version. If min_version is given
+# with no max_version it is as if max version is "latest".
+# (string value)
+#min_version = <None>
+
+# User's password (string value)
+#password = <None>
+
+# Delay value to wait for Neutron agents to setup sufficient
+# DHCP configuration for port. (integer value)
+# Minimum value: 0
+{%- if conductor.get('neutron', {}).get('port_setup_delay') %}
+port_setup_delay = {{ conductor.neutron.port_setup_delay }}
+{%- else %}
+#port_setup_delay = 0
+{%- endif %}
+
+# Domain ID containing project (string value)
+#project_domain_id = <None>
+
+# Domain name containing project (string value)
+#project_domain_name = <None>
+
+# Project ID to scope to (string value)
+# Deprecated group/name - [neutron]/tenant_id
+#project_id = <None>
+
+# Project name to scope to (string value)
+# Deprecated group/name - [neutron]/tenant_name
+#project_name = <None>
+
+# Neutron network UUID or name for the ramdisk to be booted
+# into for provisioning nodes. Required for "neutron" network
+# interface. If a name is provided, it must be unique among
+# all networks or deploy will fail. (string value)
+# Deprecated group/name - [neutron]/provisioning_network_uuid
+{%- if conductor.get('neutron', {}).get('provisioning_network') %}
+provisioning_network = {{ conductor.neutron.provisioning_network }}
+{%- else %}
+#provisioning_network = <None>
+{%- endif %}
+
+# List of Neutron Security Group UUIDs to be applied during
+# provisioning of the nodes. Optional for the "neutron"
+# network interface and not used for the "flat" or "noop"
+# network interfaces. If not specified, default security group
+# is used. (list value)
+#provisioning_network_security_groups =
+
+# The default region_name for endpoint URL discovery. (string
+# value)
+#region_name = <None>
+
+# Neutron network UUID or name for booting the ramdisk for
+# rescue mode. This is not the network that the rescue ramdisk
+# will use post-boot -- the tenant network is used for that.
+# Required for "neutron" network interface, if rescue mode
+# will be used. It is not used for the "flat" or "noop"
+# network interfaces. If a name is provided, it must be unique
+# among all networks or rescue will fail. (string value)
+{%- if conductor.get('neutron', {}).get('rescuing_network') %}
+rescuing_network = {{ conductor.neutron.rescuing_network }}
+{%- else %}
+#rescuing_network = <None>
+{%- endif %}
+
+# List of Neutron Security Group UUIDs to be applied during
+# the node rescue process. Optional for the "neutron" network
+# interface and not used for the "flat" or "noop" network
+# interfaces. If not specified, the default security group is
+# used. (list value)
+#rescuing_network_security_groups =
+
+# Client retries in the case of a failed request. (integer
+# value)
+#retries = 3
+
+# The default service_name for endpoint URL discovery. (string
+# value)
+#service_name = <None>
+
+# The default service_type for endpoint URL discovery. (string
+# value)
+#service_type = network
+
+# Log requests to multiple loggers. (boolean value)
+#split_loggers = false
+
+# Scope for system operations (string value)
+#system_scope = <None>
+
+# Tenant ID (string value)
+#tenant_id = <None>
+
+# Tenant Name (string value)
+#tenant_name = <None>
+
+# Timeout value for http requests (integer value)
+#timeout = <None>
+
+# Trust ID (string value)
+#trust_id = <None>
+
+# DEPRECATED: URL for connecting to neutron. Default value
+# translates to 'http://$my_ip:9696' when auth_strategy is
+# 'noauth', and to discovery from Keystone catalog when
+# auth_strategy is 'keystone'. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use [neutron]/endpoint_override option instead. It
+# has no default value and must be set explicitly if required
+# to connect to specific neutron URL, for example in stand
+# alone mode when [neutron]/auth_type is 'none'.
+#url = <None>
+
+# DEPRECATED: Timeout value for connecting to neutron in
+# seconds. (integer value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Set the desired value explicitly using the
+# [neutron]/timeout option instead.
+#url_timeout = 30
+
+# User's domain id (string value)
+#user_domain_id = <None>
+
+# User's domain name (string value)
+#user_domain_name = <None>
+
+# User id (string value)
+#user_id = <None>
+
+# Username (string value)
+# Deprecated group/name - [neutron]/user_name
+#username = <None>
+
+# List of interfaces, in order of preference, for endpoint
+# URL. (list value)
+#valid_interfaces = internal,public
+
+# Minimum Major API version within a given Major API version
+# for endpoint URL discovery. Mutually exclusive with
+# min_version and max_version (string value)
+#version = <None>
+
+
+[oneview]
+
+#
+# From ironic
+#
+
+# URL where OneView is available. (string value)
+#manager_url = <None>
+
+# OneView username to be used. (string value)
+#username = <None>
+
+# OneView password to be used. (string value)
+#password = <None>
+
+# Option to allow insecure connection with OneView. (boolean
+# value)
+#allow_insecure_connections = false
+
+# Path to CA certificate. (string value)
+#tls_cacert_file = <None>
+
+# Whether to enable the periodic tasks for OneView driver be
+# aware when OneView hardware resources are taken and released
+# by Ironic or OneView users and proactively manage nodes in
+# clean fail state according to Dynamic Allocation model of
+# hardware resources allocation in OneView. (boolean value)
+#enable_periodic_tasks = true
+
+# Period (in seconds) for periodic tasks to be executed when
+# enable_periodic_tasks=True. (integer value)
+#periodic_check_interval = 300
+
+
+[oslo_concurrency]
+{%- if ironic.concurrency is defined %}
+{%- set _data = ironic.concurrency %}
+{%- include "oslo_templates/files/rocky/oslo/_concurrency.conf" %}
+{%- endif %}
+
+[oslo_messaging_notifications]
+{%- set _data = ironic.notification %}
+{%- include "oslo_templates/files/rocky/oslo/messaging/_notifications.conf" %}
+
+{%- if ironic.message_queue is defined %}
+{%- set _data = ironic.message_queue %}
+{%- if _data.engine == 'rabbitmq' %}
+    {%- set messaging_engine = 'rabbit' %}
+{%- else %}
+    {%- set messaging_engine = _data.engine %}
+{%- endif %}
+[oslo_messaging_{{ messaging_engine }}]
+{%- if _data.ssl is defined and 'cacert_file' not in _data.get('ssl', {}).keys() %}{% do _data['ssl'].update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- include "oslo_templates/files/rocky/oslo/messaging/_" + messaging_engine + ".conf" %}
+{%- endif %}
+
+[oslo_policy]
+{%- if ironic.policy is defined %}
+{%- set _data = ironic.policy %}
+{%- include "oslo_templates/files/rocky/oslo/_policy.conf" %}
+{%- endif %}
+
+[profiler]
+{%- if ironic.profiler is defined %}
+{%- set _data = ironic.profiler %}
+{%- include "oslo_templates/files/rocky/oslo/_osprofiler.conf" %}
+{%- endif %}
+
+
+[pxe]
+
+#
+# From ironic
+#
+
+# Additional append parameters for baremetal PXE boot. (string
+# value)
+{%- if conductor.pxe_append_params is defined %}
+pxe_append_params = {{ conductor.pxe_append_params }}
+{%- else %}
+#pxe_append_params = nofb nomodeset vga=normal
+{%- endif %}
+
+# Default file system format for ephemeral partition, if one
+# is created. (string value)
+#default_ephemeral_format = ext4
+
+# On the ironic-conductor node, directory where images are
+# stored on disk. (string value)
+#images_path = /var/lib/ironic/images/
+
+# On the ironic-conductor node, directory where master
+# instance images are stored on disk. Setting to the empty
+# string disables image caching. (string value)
+#instance_master_path = /var/lib/ironic/master_images
+
+# Maximum size (in MiB) of cache for master images, including
+# those in use. (integer value)
+#image_cache_size = 20480
+
+# Maximum TTL (in minutes) for old master images in cache.
+# (integer value)
+#image_cache_ttl = 10080
+
+# On ironic-conductor node, template file for PXE
+# configuration. (string value)
+{%- if conductor.get('pxe_config_template') %}
+pxe_config_template = {{ conductor.pxe_config_template }}
+{%- else %}
+#pxe_config_template = $pybasedir/drivers/modules/pxe_common.template
+{%- endif %}
+
+# On ironic-conductor node, template file for PXE
+# configuration for UEFI boot loader. (string value)
+{%- if ironic.uefi.efi_pxe_config_template is defined %}
+uefi_pxe_config_template = {{ ironic.uefi.efi_pxe_config_template }}
+{%- else %}
+#uefi_pxe_config_template = $pybasedir/drivers/modules/pxe_grub_common.template
+{%- endif %}
+
+# On ironic-conductor node, template file for PXE
+# configuration per node architecture. For example:
+# aarch64:/opt/share/grubaa64_pxe_config.template (dict value)
+#pxe_config_template_by_arch =
+
+# IP address of ironic-conductor node's TFTP server. (string
+# value)
+{%- if conductor.get('tftp_server') %}
+tftp_server = {{ conductor.tftp_server }}
+{%- else %}
+#tftp_server = $my_ip
+{%- endif %}
+
+# ironic-conductor node's TFTP root path. The ironic-conductor
+# must have read/write access to this path. (string value)
+{%- if conductor.get('tftp_root') %}
+tftp_root = {{ conductor.tftp_root }}
+{%- else %}
+#tftp_root = /tftpboot
+{%- endif %}
+
+# On ironic-conductor node, directory where master TFTP images
+# are stored on disk. Setting to the empty string disables
+# image caching. (string value)
+{%- if conductor.get('tftp_master_path') %}
+tftp_master_path = {{ conductor.tftp_master_path }}
+{%- else %}
+#tftp_master_path = /tftpboot/master_images
+{%- endif %}
+
+# The permission that will be applied to the TFTP folders upon
+# creation. This should be set to the permission such that the
+# tftpserver has access to read the contents of the configured
+# TFTP folder. This setting is only required when the
+# operating system's umask is restrictive such that ironic-
+# conductor is creating files that cannot be read by the TFTP
+# server. Setting to <None> will result in the operating
+# system's umask to be utilized for the creation of new tftp
+# folders. It is recommended that an octal representation is
+# specified. For example: 0o755 (integer value)
+#dir_permission = <None>
+
+# Bootfile DHCP parameter. (string value)
+{%- if conductor.get('pxe_bootfile_name') %}
+pxe_bootfile_name = {{ conductor.pxe_bootfile_name }}
+{%- else %}
+#pxe_bootfile_name = pxelinux.0
+{%- endif %}
+
+# Directory in which to create symbolic links which represent
+# the MAC or IP address of the the ports on a node and allow
+# boot loaders to load the PXE file for the node. This
+# directory name is relative to the PXE or iPXE folders.
+# (string value)
+#pxe_config_subdir = pxelinux.cfg
+
+# Bootfile DHCP parameter for UEFI boot mode. (string value)
+#uefi_pxe_bootfile_name = bootx64.efi
+{%- if ironic.uefi.enabled %}
+{%- if ironic.uefi.pxe_bootfile_name is defined %}
+uefi_pxe_bootfile_name={{ ironic.uefi.pxe_bootfile_name }}
+{%- endif %}
+{%- endif %}
+
+# Bootfile DHCP parameter per node architecture. For example:
+# aarch64:grubaa64.efi (dict value)
+#pxe_bootfile_name_by_arch =
+
+# Enable iPXE boot. (boolean value)
+{%- if conductor.ipxe_enabled is defined %}
+ipxe_enabled = {{ conductor.ipxe_enabled }}
+{%- else %}
+#ipxe_enabled = false
+{%- endif %}
+
+# On ironic-conductor node, the path to the main iPXE script
+# file. (string value)
+#ipxe_boot_script = $pybasedir/drivers/modules/boot.ipxe
+
+# Timeout value (in seconds) for downloading an image via
+# iPXE. Defaults to 0 (no timeout) (integer value)
+#ipxe_timeout = 0
+
+# The IP version that will be used for PXE booting. Defaults
+# to 4. EXPERIMENTAL (string value)
+# Possible values:
+# 4 - IPv4
+# 6 - IPv6
+#ip_version = 4
+
+# Download deploy and rescue images directly from swift using
+# temporary URLs. If set to false (default), images are
+# downloaded to the ironic-conductor node and served over its
+# local HTTP server. Applicable only when 'ipxe_enabled'
+# option is set to true. (boolean value)
+#ipxe_use_swift = false
+
+
+[service_catalog]
+{%- set _data = ironic.get('identity', {}) %}
+{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- include "oslo_templates/files/rocky/keystoneauth/_type_" + auth_type + ".conf" %}
+
+
+[snmp]
+
+#
+# From ironic
+#
+
+# Seconds to wait for power action to be completed (integer
+# value)
+#power_timeout = 10
+
+# Time (in seconds) to sleep between when rebooting (powering
+# off and on again) (integer value)
+# Minimum value: 0
+#reboot_delay = 0
+
+# Response timeout in seconds used for UDP transport. Timeout
+# should be a multiple of 0.5 seconds and is applicable to
+# each retry. (floating point value)
+# Minimum value: 0
+#udp_transport_timeout = 1.0
+
+# Maximum number of UDP request retries, 0 means no retries.
+# (integer value)
+# Minimum value: 0
+#udp_transport_retries = 5
+
+
+[ssl]
+
+#
+# From oslo.service.sslutils
+#
+
+# CA certificate file to use to verify connecting clients.
+# (string value)
+# Deprecated group/name - [DEFAULT]/ssl_ca_file
+#ca_file = <None>
+
+# Certificate file to use when starting the server securely.
+# (string value)
+# Deprecated group/name - [DEFAULT]/ssl_cert_file
+#cert_file = <None>
+
+# Private key file to use when starting the server securely.
+# (string value)
+# Deprecated group/name - [DEFAULT]/ssl_key_file
+#key_file = <None>
+
+# SSL version to use (valid only if SSL enabled). Valid values
+# are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may
+# be available on some distributions. (string value)
+#version = <None>
+
+# Sets the list of available ciphers. value should be a string
+# in the OpenSSL cipher list format. (string value)
+#ciphers = <None>
+
+
+[swift]
+{%- set _data = ironic.get('swift', ironic.get('identity', {})) %}
+{%- if 'cacert_file' not in _data.keys() %}{% do _data.update({'cacert_file': ironic.cacert_file}) %}{% endif %}
+{%- set auth_type = _data.get('auth_type', 'password') %}
+{%- include "oslo_templates/files/rocky/keystoneauth/_type_" + auth_type + ".conf" %}
+
+# Maximum number of times to retry a Swift request, before
+# failing. (integer value)
+#swift_max_retries = 2
+
+# Scope for system operations (string value)
+#system_scope = <None>
+
+# Tenant ID (string value)
+#tenant_id = <None>
+
+# Tenant Name (string value)
+#tenant_name = <None>
+
+# Timeout value for http requests (integer value)
+#timeout = <None>
+
+# Trust ID (string value)
+#trust_id = <None>
+
+# User's domain id (string value)
+#user_domain_id = <None>
+
+# User's domain name (string value)
+#user_domain_name = <None>
+
+# User id (string value)
+#user_id = <None>
+
+# Username (string value)
+# Deprecated group/name - [swift]/user_name
+#username = <None>
+
+# List of interfaces, in order of preference, for endpoint
+# URL. (list value)
+#valid_interfaces = internal,public
+
+# Minimum Major API version within a given Major API version
+# for endpoint URL discovery. Mutually exclusive with
+# min_version and max_version (string value)
+#version = <None>
+
+
+[xclarity]
+
+#
+# From ironic
+#
+
+# IP address of the XClarity Controller. Configuration here is
+# deprecated and will be removed in the Stein release. Please
+# update the driver_info field to use "xclarity_manager_ip"
+# instead (string value)
+#manager_ip = <None>
+
+# Username for the XClarity Controller. Configuration here is
+# deprecated and will be removed in the Stein release. Please
+# update the driver_info field to use "xclarity_username"
+# instead (string value)
+#username = <None>
+
+# Password for XClarity Controller username. Configuration
+# here is deprecated and will be removed in the Stein release.
+# Please update the driver_info field to use
+# "xclarity_password" instead (string value)
+#password = <None>
+
+# Port to be used for XClarity Controller connection. (port
+# value)
+# Minimum value: 0
+# Maximum value: 65535
+#port = 443
diff --git a/ironic/files/rocky/policy.json b/ironic/files/rocky/policy.json
new file mode 100644
index 0000000..25f2838
--- /dev/null
+++ b/ironic/files/rocky/policy.json
@@ -0,0 +1,17 @@
+{%- from "ironic/map.jinja" import api with context %}
+{
+{%- if api.api_type == 'deploy' %}
+{#- This is policy.json for deploy type of API, only heartbeat and lookup allowed #}
+"admin_api": "!",
+"public_api": "is_public_api:True",
+"is_observer": "!",
+"is_admin": "!"
+
+{%- elif  api.api_type == 'public' %}
+{#- This is policy.json for public API, block access to paswordless endpoints #}
+
+"public_api": "is_public_api:False"
+
+{%- endif %}
+
+}