| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 1 | |
| Pavel Cizinsky | 2d241f1 | 2018-12-12 12:02:03 +0100 | [diff] [blame] | 2 | ====== |
| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 3 | ironic |
| Pavel Cizinsky | 2d241f1 | 2018-12-12 12:02:03 +0100 | [diff] [blame] | 4 | ====== |
| Vasyl Saienko | 8403d17 | 2017-04-27 14:21:46 +0300 | [diff] [blame] | 5 | |
| 6 | Service ironic description |
| 7 | |
| 8 | Sample pillars |
| 9 | ============== |
| 10 | |
| 11 | Single ironic service |
| 12 | |
| 13 | .. code-block:: yaml |
| 14 | |
| 15 | ironic: |
| 16 | api: |
| 17 | enabled: true |
| 18 | version: mitaka |
| 19 | bind: |
| 20 | address: 0.0.0.0 |
| 21 | port: 6385 |
| 22 | database: |
| 23 | engine: mysql |
| 24 | host: localhost |
| 25 | port: 3306 |
| 26 | name: ironic |
| 27 | user: ironic |
| 28 | password: password |
| 29 | identity: |
| 30 | engine: keystone |
| 31 | region: RegionOne |
| 32 | host: localhost |
| 33 | port: 35357 |
| 34 | user: ironic |
| 35 | password: password |
| 36 | tenant: service |
| 37 | message_queue: |
| 38 | engine: rabbitmq |
| 39 | host: localhost |
| 40 | port: 5672 |
| 41 | user: openstack |
| 42 | password: password |
| 43 | virtual_host: '/openstack' |
| 44 | conductor: |
| 45 | enabled: true |
| 46 | version: mitaka |
| 47 | database: |
| 48 | engine: mysql |
| 49 | host: localhost |
| 50 | port: 3306 |
| 51 | name: ironic |
| 52 | user: ironic |
| 53 | password: password |
| 54 | message_queue: |
| 55 | engine: rabbitmq |
| 56 | host: localhost |
| 57 | port: 5672 |
| 58 | user: openstack |
| 59 | password: password |
| 60 | virtual_host: '/openstack' |
| 61 | |
| 62 | Standalone ironic without keystone |
| 63 | |
| 64 | .. code-block:: yaml |
| 65 | |
| 66 | ironic: |
| 67 | api: |
| 68 | version: mitaka |
| 69 | enabled: true |
| 70 | bind: |
| 71 | address: 0.0.0.0 |
| 72 | port: 6385 |
| 73 | database: |
| 74 | engine: mysql |
| 75 | host: localhost |
| 76 | port: 3306 |
| 77 | name: ironic |
| 78 | user: ironic |
| 79 | password: password |
| 80 | identity: |
| 81 | engine: noauth |
| 82 | message_queue: |
| 83 | engine: rabbitmq |
| 84 | host: localhost |
| 85 | port: 5672 |
| 86 | user: openstack |
| 87 | password: password |
| 88 | virtual_host: '/openstack' |
| 89 | conductor: |
| 90 | enabled: true |
| 91 | version: mitaka |
| 92 | database: |
| 93 | engine: mysql |
| 94 | host: localhost |
| 95 | port: 3306 |
| 96 | name: ironic |
| 97 | user: ironic |
| 98 | password: password |
| 99 | message_queue: |
| 100 | engine: rabbitmq |
| 101 | host: localhost |
| 102 | port: 5672 |
| 103 | user: openstack |
| 104 | password: password |
| 105 | virtual_host: '/openstack' |
| Oleksandr Shyshko | 258bf7c | 2018-09-13 14:23:29 +0300 | [diff] [blame] | 106 | |
| 107 | Enable x509 and ssl communication between Ironic and Galera cluster. |
| 108 | --------------------- |
| 109 | By default communication between Ironic and Galera is unsecure. |
| 110 | |
| 111 | ironic: |
| 112 | api: |
| 113 | database: |
| 114 | x509: |
| 115 | enabled: True |
| 116 | conductor: |
| 117 | database: |
| 118 | x509: |
| 119 | enabled: True |
| 120 | |
| 121 | You able to set custom certificates in pillar: |
| 122 | |
| 123 | ironic: |
| 124 | api: |
| 125 | database: |
| 126 | x509: |
| 127 | cacert: (certificate content) |
| 128 | cert: (certificate content) |
| 129 | key: (certificate content) |
| 130 | conductor: |
| 131 | database: |
| 132 | x509: |
| 133 | cacert: (certificate content) |
| 134 | cert: (certificate content) |
| 135 | key: (certificate content) |
| 136 | |
| 137 | You can read more about it here: |
| 138 | https://docs.openstack.org/security-guide/databases/database-access-control.html |
| 139 | |
| Oleksandr Shyshko | c51d28c | 2018-09-20 12:30:00 +0300 | [diff] [blame] | 140 | Enable x509 and ssl communication between Ironic and Rabbitmq. |
| 141 | --------------------- |
| 142 | By default communication between Ironic and Rabbitmq is unsecure. |
| 143 | |
| 144 | .. code-block:: yaml |
| 145 | |
| 146 | ironic: |
| 147 | api: |
| 148 | message_queue: |
| 149 | x509: |
| 150 | enabled: True |
| 151 | conductor: |
| 152 | message_queue: |
| 153 | x509: |
| 154 | enabled: True |
| 155 | |
| 156 | You able to set custom certificates in pillar: |
| 157 | |
| 158 | .. code-block:: yaml |
| 159 | |
| 160 | ironic: |
| 161 | api: |
| 162 | message_queue: |
| 163 | x509: |
| 164 | cacert: (certificate content) |
| 165 | cert: (certificate content) |
| 166 | key: (certificate content) |
| 167 | conductor: |
| 168 | message_queue: |
| 169 | x509: |
| 170 | cacert: (certificate content) |
| 171 | cert: (certificate content) |
| 172 | key: (certificate content) |
| 173 | |
| 174 | You can read more about it here: |
| 175 | https://docs.openstack.org/security-guide/messaging/security.html |
| Oleksandr Bryndzii | 69a6d02 | 2018-11-07 12:38:16 +0200 | [diff] [blame] | 176 | |
| 177 | Ironic service with cache and security enabled |
| 178 | |
| 179 | .. code-block:: yaml |
| 180 | |
| 181 | ironic: |
| 182 | api: |
| 183 | enabled: true |
| 184 | version: pike |
| 185 | cache: |
| 186 | engine: memcached |
| 187 | members: |
| 188 | - host: 127.0.0.1 |
| 189 | port: 11211 |
| 190 | - host: 127.0.0.1 |
| 191 | port: 11211 |
| 192 | security: |
| 193 | enabled: true |
| 194 | strategy: ENCRYPT |
| 195 | secret_key: secret |
| Vasyl Saienko | ebaa23c | 2019-01-19 09:14:36 +0000 | [diff] [blame] | 196 | |
| Vasyl Saienko | 22f94f5 | 2019-01-29 10:56:16 +0000 | [diff] [blame] | 197 | |
| 198 | Enable serial console for Baremetal Nodes |
| 199 | ----------------------------------------- |
| 200 | |
| 201 | .. code-block:: yaml |
| 202 | |
| 203 | ironic: |
| 204 | conductor: |
| 205 | console: |
| 206 | terminal: shellinaboxd |
| 207 | terminal_cert_dir: /tmp/ca |
| 208 | terminal_timeout: 10 |
| 209 | subprocess_checking_interval: 1 |
| 210 | subprocess_timeout: 10 |
| 211 | socat_address: 127.0.0.1 |
| 212 | |
| 213 | You can read more info about it here: |
| 214 | https://docs.openstack.org/ironic/pike/admin/console.html#node-serial-console |
| 215 | |
| 216 | |
| Vasyl Saienko | ebaa23c | 2019-01-19 09:14:36 +0000 | [diff] [blame] | 217 | Ensure nodes are in target state (available). |
| 218 | Starting from 1.11 API microversion newly-created node is moved to `enroll` |
| 219 | state. To move it to available the following client pillar might be used: |
| 220 | |
| 221 | .. code-block:: yaml |
| 222 | |
| 223 | ironic: |
| 224 | client: |
| 225 | node_state_transition: |
| 226 | enabled: true |
| 227 | enroll_to_available: |
| 228 | provision_state: 'enroll' |
| 229 | pool_size: 5 |
| 230 | sleep_time: 10 |
| 231 | timeout: 15 |
| root | afa89e6 | 2019-02-05 16:44:43 +0000 | [diff] [blame] | 232 | |
| Oleksandr Pidrepnyi | c2db714 | 2019-05-13 16:18:47 +0300 | [diff] [blame] | 233 | Change default options using configmap template settings |
| 234 | ======================================================== |
| 235 | |
| 236 | .. code-block:: yaml |
| 237 | |
| 238 | ironic: |
| 239 | api: |
| 240 | configmap: |
| 241 | DEFAULT: |
| 242 | enabled_drivers: pxe_ipmitool |
| 243 | enabled_hardware_types: ipmi |
| 244 | enabled_boot_interfaces: pxe |
| 245 | api: |
| 246 | host_ip: 0.0.0.0 |
| 247 | port: 6385 |
| 248 | max_limit: 1000 |
| 249 | conductor: |
| 250 | configmap: |
| 251 | DEFAULT: |
| 252 | enabled_drivers: pxe_ipmitool |
| 253 | enabled_hardware_types: ipmi |
| 254 | enabled_boot_interfaces: pxe |
| 255 | disk_partitioner: |
| 256 | check_device_interval: 1 |
| 257 | check_device_max_retries: 20 |
| 258 | disk_utils: |
| 259 | efi_system_partition_size: 200 |
| 260 | bios_boot_partition_size: 1 |
| 261 | |
| root | afa89e6 | 2019-02-05 16:44:43 +0000 | [diff] [blame] | 262 | Upgrades |
| 263 | ======== |
| 264 | |
| 265 | Each openstack formula provide set of phases (logical blocks) that will help to |
| 266 | build flexible upgrade orchestration logic for particular components. The list |
| 267 | of phases and theirs descriptions are listed in table below: |
| 268 | |
| 269 | +-------------------------------+------------------------------------------------------+ |
| 270 | | State | Description | |
| 271 | +===============================+======================================================+ |
| 272 | | <app>.upgrade.service_running | Ensure that all services for particular application | |
| 273 | | | are enabled for autostart and running | |
| 274 | +-------------------------------+------------------------------------------------------+ |
| 275 | | <app>.upgrade.service_stopped | Ensure that all services for particular application | |
| 276 | | | disabled for autostart and dead | |
| 277 | +-------------------------------+------------------------------------------------------+ |
| 278 | | <app>.upgrade.pkgs_latest | Ensure that packages used by particular application | |
| 279 | | | are installed to latest available version. | |
| 280 | | | This will not upgrade data plane packages like qemu | |
| 281 | | | and openvswitch as usually minimal required version | |
| 282 | | | in openstack services is really old. The data plane | |
| 283 | | | packages should be upgraded separately by `apt-get | |
| 284 | | | upgrade` or `apt-get dist-upgrade` | |
| 285 | | | Applying this state will not autostart service. | |
| 286 | +-------------------------------+------------------------------------------------------+ |
| 287 | | <app>.upgrade.render_config | Ensure configuration is rendered actual version. + |
| 288 | +-------------------------------+------------------------------------------------------+ |
| 289 | | <app>.upgrade.pre | We assume this state is applied on all nodes in the | |
| 290 | | | cloud before running upgrade. | |
| 291 | | | Only non destructive actions will be applied during | |
| 292 | | | this phase. Perform service built in service check | |
| 293 | | | like (keystone-manage doctor and nova-status upgrade)| |
| 294 | +-------------------------------+------------------------------------------------------+ |
| 295 | | <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this | |
| 296 | | | phase resources will be gracefully removed from | |
| 297 | | | current node if it is allowed. Services for upgraded | |
| 298 | | | application will be set to admin disabled state to | |
| 299 | | | make sure node will not participate in resources | |
| 300 | | | scheduling. For example on gtw nodes this will set | |
| 301 | | | all agents to admin disable state and will move all | |
| 302 | | | routers to other agents. | |
| 303 | +-------------------------------+------------------------------------------------------+ |
| 304 | | <app>.upgrade.upgrade | This state will basically upgrade application on | |
| 305 | | | particular target. Stop services, render | |
| 306 | | | configuration, install new packages, run offline | |
| 307 | | | dbsync (for ctl), start services. Data plane should | |
| 308 | | | not be affected, only OpenStack python services. | |
| 309 | +-------------------------------+------------------------------------------------------+ |
| 310 | | <app>.upgrade.upgrade.post | Add services back to scheduling. | |
| 311 | +-------------------------------+------------------------------------------------------+ |
| 312 | | <app>.upgrade.post | This phase should be launched only when upgrade of | |
| 313 | | | the cloud is completed. Cleanup temporary files, | |
| 314 | | | perform other post upgrade tasks. | |
| 315 | +-------------------------------+------------------------------------------------------+ |
| 316 | | <app>.upgrade.verify | Here we will do basic health checks (API CRUD | |
| 317 | | | operations, verify do not have dead network | |
| 318 | | | agents/compute services) | |
| 319 | +-------------------------------+------------------------------------------------------+ |
| 320 | |
| 321 | Upgrade pillar example: |
| 322 | ironic: |
| 323 | upgrade: |
| 324 | enabled: True |
| 325 | old_release: pike |
| 326 | new_release: queens |