ironic conductor #0

Supports: bionic focal
Add to new model

Description

OpenStack bare metal provisioning a.k.a Ironic is an integrated OpenStack program which aims to provision bare metal machines instead of virtual machines, forked from the Nova baremetal driver. It is best thought of as a bare metal hypervisor API and a set of plugins which interact with the bare metal hypervisors. By default, it will use PXE and IPMI in order to provision and turn on/off machines, but Ironic also supports vendor-specific plugins which may implement additional functionality.


Overview

This charm provides the Ironic bare metal conductor service for an OpenStack cloud, starting with train. To get a fully functional Ironic deployment, you will also need the ironic-api and neutron-api-plugin-ironic charms to be deployed.

Deployment

To deploy (partial deployment only):

juju deploy nova-compute \
  --config virt-type="ironic" nova-ironic
juju deploy ironic-conductor

juju add-relation nova-ironic ironic-api
juju add-relation ironic-conductor ironic-api
juju add-relation ironic-conductor keystone
juju add-relation ironic-conductor rabbitmq-server
juju add-relation ironic-conductor mysql

Configuration

There are a number of configuration parameters that greatly influence how the Ironic conductor service will behave. We will detail the ones that require special consideration.

Deployment interfaces

The Ironic conductor charm currently supports two deployment interfaces:

  • direct
  • iscsi

The iSCSI deployment interface

How it works (really high level view):

  • Ironic python agent boots on remote bare metal machine
  • Ironic python agent exports all disks as iSCSI targets
  • Ironic conductor logs into the iSCSI target and writes the operating system image to the target disk

Pros:

  • Minimal requirements in terms of supporting services (glance, swift, etc)

Cons:

  • The ironic-conductor service needs to be deployed on a bare metal server, or inside a VM. Containerizing the conductor service will make the iscsi deployment method, fail.   The reason for this is that the iscsi kernel module is not namespaced at all, and any attempt to log into an iSCSI target, will happen on the host, not inside the container.
  • Heavy lifting is done by conductor itself:
    • Downloading and converting the Glance image
    • Writing the disk data to the iSCSI target
    • Applying any post-write configuration
  • Requires more Ironic conductor units as the number of bare metal nodes increases

You can set this deployment interface by running the following commands:

juju config ironic-conductor \
  enabled-deploy-interfaces="iscsi, direct"
  default-deploy-interface="iscsi"

The default deploy interface can be overwritten for individual bare metal nodes setting the --deploy-interface explicitly:

openstack baremetal node set $NODE_NAME --deploy-interface iscsi

Whenever possible, avoid using the iSCSI deployment interface, in favor of the direct deployment interface.

The direct deployment interface

How it works (really high level view):

  • The Ironic python agent boots on a remote bare metal machine
  • The Ironic agent fetches any needed images from glance and writes them to local storage.

Pros:

  • All heavy lifting is done by the node that is getting deployed
  • The Ironic conductor can be deployed inside an LXD container
  • Fewer Ironic conductor units are needed, as no real processing is done on these machines

Cons:

  • Requires the whole Operating system image to fit in the node’s memory, except when using raw images. Raw images are streamed directly to disk.

Special considerations:

  • Glance must be related to Swift/RadosGW, and support multi-backend, or use object-store as its default storage backend
  • Ironic relies on being able to generate temporary URLs
    • The set-temp-url-secret action must be run to properly set Temp-Url-Key
  • If ceph-radosgw is used, it must be deployed with the namespace-tenants options set to true

You can set this deployment interface by running the following commands:

juju config ironic-conductor \
  enabled-deploy-interfaces="iscsi, direct"
  default-deploy-interface="direct"

The default deploy interface can be overwritten for individual bare metal nodes setting the --deploy-interface explicitly:

openstack baremetal node set $NODE_NAME --deploy-interface direct

Network interfaces

Ironic can be configured for multi-tenancy by leveraging the neutron network interface.

The currently supported network interfaces are: * neutron * flat * noop

When using the neutron network interface, the following configuration options become mandatory:

  • provisioning-network
  • cleaning-network

These networks will need to be created by the operator beforehand.

For details and security considerations in regards to the selected network interfaces, please refer to the Configure tenant networks section of the Ironic documentation.

Pay close attention to the notes and security warnings highlighted on that page.

Neutron configuration

If using the flat network interface, the following configurations will need to be made on neutron-gateway:

juju config neutron-gateway \
    enable-isolated-metadata=true \
    enable-metadata-network=true

This will allow ironic nodes to access their metadata. Routes will be pushed to them via DHCP that will allow access to 169.254.169.254.

Misc options

The following options may also be of interest:

  • pxe-append-params - You may use this to pass any additional options to the linux kernel, or the Ironic Python Agent (IPA) during deployment. For a list of IPA flags that can be set (ipa-insecure, ssh public key, root password, etc), please see the IPA documentation page
  • automated-cleaning - enables (default) or disables automated cleaning of nodes.
  • disable-secure-erase - disables secure erase of bare metal instance disks, on release. By default, secure erase is enabled. Set this option to true to disable secure erase. Useful for testing.

Please refer to the charm config for a complete list of available charm options.


Configuration

action-managed-upgrade
(boolean) If True enables openstack upgrades for this charm via juju actions. You will still need to set openstack-origin to the new repository but instead of an upgrade running automatically across all units, it will wait for you to execute the openstack-upgrade action for this charm on each unit. If False it will revert to existing behavior of upgrading all units on config change.
automated-cleaning
(boolean) Globally enables automated cleaning of nodes. This is run when setting a node to available state, or when deleting an instance. Cleaning will bring the node in a baseline state. You can safely disable this feature if all tenants of your OpenStack deployment are trusted, or if you have a single tenant. Note: Automated cleaning can be toggled on a per node basis, via node properties. Note: node cleaning may take a long time, especially if secure erase is enabled.
True
cleaning-network
(string) The name or ID of the cleaning network. This network is used to clean bare metal nodes after they have been releases. This option is mandatory to allow Neutron network interfaces. The same network may be used for both cleaning and provisioning.
database
(string) Database name for Ironic
ironic
database-user
(string) Username for Ironic database access
ironic
debug
(boolean) Enable debug logging
default-deploy-interface
(string) The default deploy interface to use for nodes that do not explicitly set a deploy interface.
direct
default-network-interface
(string) The default network interface to use for nodes that do not explicitly set a network interface type. The default network interface specified here, must also exist in the list of enabled-network-interfaces.
flat
disable-secure-erase
(boolean) This will disable secure erase in Ironic, when releasing a node. An ATA Secure Erase will be attempted. If it's not supported, the disks will be shreaded by writting random data to them once, then overwriting that data with zeros. Enabling this option will preserve the data on disk after release (not recommended for production).
enabled-deploy-interfaces
(string) Comma separated list of deploy interfaces to use. Valid options are: * direct * iscsi Note: To enable the direct deploy interface, the following conditions must be met in your deployment of OpenStack: * ceph-radosgw or swift is deployed and available * glance is deployed and has a relation set to ceph-radosgw or swift * You ran the set-temp-url-secret action of this charm If any of these conditions are not met, the direct deploy interface will not be enabled in the config, and the charm will go into blocked state. Note: The iscsi deploy mode requires that ironic-conductor be deployed on a VM or a bare metal machine. That is because the iscsi kernel module is not namespaced, and the ironic-conductor will not be able to log into any iscsi target.
direct, iscsi
enabled-network-interfaces
(string) Comma separated list of network interfaces to be enabled in the Ironic config. Valid options are: * flat * neutron * noop Note: When enabling "neutron", you will also have to set the provisioning-network and the cleaning-network options. The settings for these networks can be overwritten per node, but they need to be set globally for ironic to start. The "neutron" network interface is needed if you require additional enablement from a ml2 driver you may have enabled in your deployment, such as switch configuration.
flat, neutron, noop
ipxe-http-port
(string) The port used for the HTTP server used to serve iPXE resources.
8080
max-tftp-block-size
(int) Force TFTP server maximum block size. Setting this option to anything other than 0, will force the block size sent over TFTP to the value specified here. Valid range is 512-65535. By default, clients will negotiate the block size. Use this option if you're running ironic in a network with lower MTU. The value of this option should be 32 bits less than the MTU. If your MTU is 1450, the value for this option should be 1418.
openstack-origin
(string) Repository from which to install. May be one of the following: distro (default), ppa:somecustom/ppa, a deb url sources entry, or a supported Ubuntu Cloud Archive e.g. . cloud:<series>-<openstack-release> cloud:<series>-<openstack-release>/updates cloud:<series>-<openstack-release>/staging cloud:<series>-<openstack-release>/proposed . See https://wiki.ubuntu.com/OpenStack/CloudArchive for info on which cloud archives are available and supported.
distro
provisioning-network
(string) The name or ID of the provisioning network. This network is used to deploy bare metal nodes. This option is mandatory to allow Neutron network interfaces.
pxe-append-params
(string) Kernel command line parameters to pass to the deployment kernel. Options must be space delimited and will be passed as is to the deployment image. Aside from regular linux kernel command line parameters, you can also configure the ironic python agent (IPA) from within the deployment image. See the IPA documentation for a list of command line parameters which can be passed via pxe_append_params.
nofb nomodeset vga=normal console=tty0 console=ttyS0,115200n8
rabbit-user
(string) Username used to access rabbitmq queue
ironic
rabbit-vhost
(string) Rabbitmq vhost
openstack
region
(string) OpenStack Region
RegionOne
ssl_ca
(string) TLS CA to use to communicate with other components in a deployment. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
ssl_cert
(string) TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
ssl_key
(string) TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
use-internal-endpoints
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
use-ipxe
(boolean) Use iPXE instead of PXE. This option will install an aditional HTTP server with a root in /httpboot.
True
use-syslog
(boolean) Setting this to True will allow supporting services to log to syslog.
verbose
(boolean) Enable verbose logging