| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 1 | |
| Pavel Cizinsky | 2d241f1 | 2018-12-12 12:02:03 +0100 | [diff] [blame] | 2 | ====== |
| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 3 | ironic |
| Pavel Cizinsky | 2d241f1 | 2018-12-12 12:02:03 +0100 | [diff] [blame] | 4 | ====== |
| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 5 | |
| 6 | Service ironic description |
| 7 | |
| 8 | Sample pillars |
| 9 | ============== |
| 10 | |
| 11 | Single ironic service |
| 12 | |
| 13 | .. code-block:: yaml |
| 14 | |
| 15 | ironic: |
| 16 | api: |
| 17 | enabled: true |
| 18 | version: mitaka |
| 19 | bind: |
| 20 | address: 0.0.0.0 |
| 21 | port: 6385 |
| Ivan Berezovskiy | 0c6b38c | 2019-11-19 15:23:05 +0400 | [diff] [blame] | 22 | concurrency: |
| 23 | lock_path: '/var/lib/ironic/tmp' |
| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 24 | database: |
| 25 | engine: mysql |
| 26 | host: localhost |
| 27 | port: 3306 |
| 28 | name: ironic |
| 29 | user: ironic |
| 30 | password: password |
| 31 | identity: |
| 32 | engine: keystone |
| 33 | region: RegionOne |
| 34 | host: localhost |
| 35 | port: 35357 |
| 36 | user: ironic |
| 37 | password: password |
| 38 | tenant: service |
| 39 | message_queue: |
| 40 | engine: rabbitmq |
| 41 | host: localhost |
| 42 | port: 5672 |
| 43 | user: openstack |
| 44 | password: password |
| 45 | virtual_host: '/openstack' |
| 46 | conductor: |
| 47 | enabled: true |
| 48 | version: mitaka |
| Ivan Berezovskiy | 0c6b38c | 2019-11-19 15:23:05 +0400 | [diff] [blame] | 49 | concurrency: |
| 50 | lock_path: '/var/lib/ironic/tmp' |
| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 51 | database: |
| 52 | engine: mysql |
| 53 | host: localhost |
| 54 | port: 3306 |
| 55 | name: ironic |
| 56 | user: ironic |
| 57 | password: password |
| 58 | message_queue: |
| 59 | engine: rabbitmq |
| 60 | host: localhost |
| 61 | port: 5672 |
| 62 | user: openstack |
| 63 | password: password |
| 64 | virtual_host: '/openstack' |
| 65 | |
| 66 | Standalone ironic without keystone |
| 67 | |
| 68 | .. code-block:: yaml |
| 69 | |
| 70 | ironic: |
| 71 | api: |
| 72 | version: mitaka |
| 73 | enabled: true |
| 74 | bind: |
| 75 | address: 0.0.0.0 |
| 76 | port: 6385 |
| 77 | database: |
| 78 | engine: mysql |
| 79 | host: localhost |
| 80 | port: 3306 |
| 81 | name: ironic |
| 82 | user: ironic |
| 83 | password: password |
| 84 | identity: |
| 85 | engine: noauth |
| 86 | message_queue: |
| 87 | engine: rabbitmq |
| 88 | host: localhost |
| 89 | port: 5672 |
| 90 | user: openstack |
| 91 | password: password |
| 92 | virtual_host: '/openstack' |
| 93 | conductor: |
| 94 | enabled: true |
| 95 | version: mitaka |
| 96 | database: |
| 97 | engine: mysql |
| 98 | host: localhost |
| 99 | port: 3306 |
| 100 | name: ironic |
| 101 | user: ironic |
| 102 | password: password |
| 103 | message_queue: |
| 104 | engine: rabbitmq |
| 105 | host: localhost |
| 106 | port: 5672 |
| 107 | user: openstack |
| 108 | password: password |
| 109 | virtual_host: '/openstack' |
| Oleksandr Shyshko | 258bf7c | 2018-09-13 14:23:29 +0300 | [diff] [blame] | 110 | |
| Ivan Berezovskiy | 9d8b13b | 2020-03-26 18:46:49 +0400 | [diff] [blame^] | 111 | Configuration of policy.json file: |
| 112 | |
| 113 | .. code-block:: yaml |
| 114 | |
| 115 | ironic: |
| 116 | api: |
| 117 | ... |
| 118 | api_type: deploy |
| 119 | policy: |
| 120 | 'baremetal:node:create': 'rule:is_admin' |
| 121 | 'baremetal:node:delete': 'rule:is_admin' |
| 122 | # Add key without value to remove line from policy.json |
| 123 | 'baremetal:node:update': |
| 124 | |
| Oleksandr Shyshko | 258bf7c | 2018-09-13 14:23:29 +0300 | [diff] [blame] | 125 | Enable x509 and ssl communication between Ironic and Galera cluster. |
| 126 | --------------------- |
| 127 | By default communication between Ironic and Galera is unsecure. |
| 128 | |
| 129 | ironic: |
| 130 | api: |
| 131 | database: |
| 132 | x509: |
| 133 | enabled: True |
| 134 | conductor: |
| 135 | database: |
| 136 | x509: |
| 137 | enabled: True |
| 138 | |
| 139 | You able to set custom certificates in pillar: |
| 140 | |
| 141 | ironic: |
| 142 | api: |
| 143 | database: |
| 144 | x509: |
| 145 | cacert: (certificate content) |
| 146 | cert: (certificate content) |
| 147 | key: (certificate content) |
| 148 | conductor: |
| 149 | database: |
| 150 | x509: |
| 151 | cacert: (certificate content) |
| 152 | cert: (certificate content) |
| 153 | key: (certificate content) |
| 154 | |
| 155 | You can read more about it here: |
| 156 | https://docs.openstack.org/security-guide/databases/database-access-control.html |
| 157 | |
| Oleksandr Shyshko | c51d28c | 2018-09-20 12:30:00 +0300 | [diff] [blame] | 158 | Enable x509 and ssl communication between Ironic and Rabbitmq. |
| 159 | --------------------- |
| 160 | By default communication between Ironic and Rabbitmq is unsecure. |
| 161 | |
| 162 | .. code-block:: yaml |
| 163 | |
| 164 | ironic: |
| 165 | api: |
| 166 | message_queue: |
| 167 | x509: |
| 168 | enabled: True |
| 169 | conductor: |
| 170 | message_queue: |
| 171 | x509: |
| 172 | enabled: True |
| 173 | |
| 174 | You able to set custom certificates in pillar: |
| 175 | |
| 176 | .. code-block:: yaml |
| 177 | |
| 178 | ironic: |
| 179 | api: |
| 180 | message_queue: |
| 181 | x509: |
| 182 | cacert: (certificate content) |
| 183 | cert: (certificate content) |
| 184 | key: (certificate content) |
| 185 | conductor: |
| 186 | message_queue: |
| 187 | x509: |
| 188 | cacert: (certificate content) |
| 189 | cert: (certificate content) |
| 190 | key: (certificate content) |
| 191 | |
| 192 | You can read more about it here: |
| 193 | https://docs.openstack.org/security-guide/messaging/security.html |
| Oleksandr Bryndzii | 69a6d02 | 2018-11-07 12:38:16 +0200 | [diff] [blame] | 194 | |
| 195 | Ironic service with cache and security enabled |
| 196 | |
| 197 | .. code-block:: yaml |
| 198 | |
| 199 | ironic: |
| 200 | api: |
| 201 | enabled: true |
| 202 | version: pike |
| 203 | cache: |
| 204 | engine: memcached |
| 205 | members: |
| 206 | - host: 127.0.0.1 |
| 207 | port: 11211 |
| 208 | - host: 127.0.0.1 |
| 209 | port: 11211 |
| 210 | security: |
| 211 | enabled: true |
| 212 | strategy: ENCRYPT |
| 213 | secret_key: secret |
| Vasyl Saienko | ebaa23c | 2019-01-19 09:14:36 +0000 | [diff] [blame] | 214 | |
| Vasyl Saienko | 22f94f5 | 2019-01-29 10:56:16 +0000 | [diff] [blame] | 215 | |
| 216 | Enable serial console for Baremetal Nodes |
| 217 | ----------------------------------------- |
| 218 | |
| 219 | .. code-block:: yaml |
| 220 | |
| 221 | ironic: |
| 222 | conductor: |
| 223 | console: |
| 224 | terminal: shellinaboxd |
| 225 | terminal_cert_dir: /tmp/ca |
| 226 | terminal_timeout: 10 |
| 227 | subprocess_checking_interval: 1 |
| 228 | subprocess_timeout: 10 |
| Kostiantyn Ovchynnykov | 878c514 | 2019-08-22 11:57:46 +0300 | [diff] [blame] | 229 | kill_timeout: 1 |
| Vasyl Saienko | 22f94f5 | 2019-01-29 10:56:16 +0000 | [diff] [blame] | 230 | socat_address: 127.0.0.1 |
| 231 | |
| 232 | You can read more info about it here: |
| 233 | https://docs.openstack.org/ironic/pike/admin/console.html#node-serial-console |
| 234 | |
| 235 | |
| Vasyl Saienko | ebaa23c | 2019-01-19 09:14:36 +0000 | [diff] [blame] | 236 | Ensure nodes are in target state (available). |
| 237 | Starting from 1.11 API microversion newly-created node is moved to `enroll` |
| 238 | state. To move it to available the following client pillar might be used: |
| 239 | |
| 240 | .. code-block:: yaml |
| 241 | |
| 242 | ironic: |
| 243 | client: |
| 244 | node_state_transition: |
| 245 | enabled: true |
| 246 | enroll_to_available: |
| 247 | provision_state: 'enroll' |
| 248 | pool_size: 5 |
| 249 | sleep_time: 10 |
| 250 | timeout: 15 |
| root | afa89e6 | 2019-02-05 16:44:43 +0000 | [diff] [blame] | 251 | |
| Oleksandr Pidrepnyi | c2db714 | 2019-05-13 16:18:47 +0300 | [diff] [blame] | 252 | Change default options using configmap template settings |
| 253 | ======================================================== |
| 254 | |
| 255 | .. code-block:: yaml |
| 256 | |
| 257 | ironic: |
| 258 | api: |
| 259 | configmap: |
| 260 | DEFAULT: |
| 261 | enabled_drivers: pxe_ipmitool |
| 262 | enabled_hardware_types: ipmi |
| 263 | enabled_boot_interfaces: pxe |
| 264 | api: |
| 265 | host_ip: 0.0.0.0 |
| 266 | port: 6385 |
| 267 | max_limit: 1000 |
| 268 | conductor: |
| 269 | configmap: |
| 270 | DEFAULT: |
| 271 | enabled_drivers: pxe_ipmitool |
| 272 | enabled_hardware_types: ipmi |
| 273 | enabled_boot_interfaces: pxe |
| 274 | disk_partitioner: |
| 275 | check_device_interval: 1 |
| 276 | check_device_max_retries: 20 |
| 277 | disk_utils: |
| 278 | efi_system_partition_size: 200 |
| 279 | bios_boot_partition_size: 1 |
| 280 | |
| Kostiantyn Ovchynnykov | 4c3ba1f | 2019-08-22 12:26:26 +0300 | [diff] [blame] | 281 | Enable direct http deploy feature |
| 282 | ======================================================== |
| 283 | |
| 284 | .. code-block:: yaml |
| 285 | |
| 286 | ironic: |
| 287 | conductor: |
| 288 | image_download_source: http |
| 289 | |
| root | afa89e6 | 2019-02-05 16:44:43 +0000 | [diff] [blame] | 290 | Upgrades |
| 291 | ======== |
| 292 | |
| 293 | Each openstack formula provide set of phases (logical blocks) that will help to |
| 294 | build flexible upgrade orchestration logic for particular components. The list |
| 295 | of phases and theirs descriptions are listed in table below: |
| 296 | |
| 297 | +-------------------------------+------------------------------------------------------+ |
| 298 | | State | Description | |
| 299 | +===============================+======================================================+ |
| 300 | | <app>.upgrade.service_running | Ensure that all services for particular application | |
| 301 | | | are enabled for autostart and running | |
| 302 | +-------------------------------+------------------------------------------------------+ |
| 303 | | <app>.upgrade.service_stopped | Ensure that all services for particular application | |
| 304 | | | disabled for autostart and dead | |
| 305 | +-------------------------------+------------------------------------------------------+ |
| 306 | | <app>.upgrade.pkgs_latest | Ensure that packages used by particular application | |
| 307 | | | are installed to latest available version. | |
| 308 | | | This will not upgrade data plane packages like qemu | |
| 309 | | | and openvswitch as usually minimal required version | |
| 310 | | | in openstack services is really old. The data plane | |
| 311 | | | packages should be upgraded separately by `apt-get | |
| 312 | | | upgrade` or `apt-get dist-upgrade` | |
| 313 | | | Applying this state will not autostart service. | |
| 314 | +-------------------------------+------------------------------------------------------+ |
| 315 | | <app>.upgrade.render_config | Ensure configuration is rendered actual version. + |
| 316 | +-------------------------------+------------------------------------------------------+ |
| 317 | | <app>.upgrade.pre | We assume this state is applied on all nodes in the | |
| 318 | | | cloud before running upgrade. | |
| 319 | | | Only non destructive actions will be applied during | |
| 320 | | | this phase. Perform service built in service check | |
| 321 | | | like (keystone-manage doctor and nova-status upgrade)| |
| 322 | +-------------------------------+------------------------------------------------------+ |
| 323 | | <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this | |
| 324 | | | phase resources will be gracefully removed from | |
| 325 | | | current node if it is allowed. Services for upgraded | |
| 326 | | | application will be set to admin disabled state to | |
| 327 | | | make sure node will not participate in resources | |
| 328 | | | scheduling. For example on gtw nodes this will set | |
| 329 | | | all agents to admin disable state and will move all | |
| 330 | | | routers to other agents. | |
| 331 | +-------------------------------+------------------------------------------------------+ |
| 332 | | <app>.upgrade.upgrade | This state will basically upgrade application on | |
| 333 | | | particular target. Stop services, render | |
| 334 | | | configuration, install new packages, run offline | |
| 335 | | | dbsync (for ctl), start services. Data plane should | |
| 336 | | | not be affected, only OpenStack python services. | |
| 337 | +-------------------------------+------------------------------------------------------+ |
| 338 | | <app>.upgrade.upgrade.post | Add services back to scheduling. | |
| 339 | +-------------------------------+------------------------------------------------------+ |
| 340 | | <app>.upgrade.post | This phase should be launched only when upgrade of | |
| 341 | | | the cloud is completed. Cleanup temporary files, | |
| 342 | | | perform other post upgrade tasks. | |
| 343 | +-------------------------------+------------------------------------------------------+ |
| 344 | | <app>.upgrade.verify | Here we will do basic health checks (API CRUD | |
| 345 | | | operations, verify do not have dead network | |
| 346 | | | agents/compute services) | |
| 347 | +-------------------------------+------------------------------------------------------+ |
| 348 | |
| 349 | Upgrade pillar example: |
| 350 | ironic: |
| 351 | upgrade: |
| 352 | enabled: True |
| 353 | old_release: pike |
| 354 | new_release: queens |