Ironic Installation Guide
OpenStack version: Newton
Ironic API
In this installation guide, Ironic API will be installed on controller node.
Prerequisites
Create essential user, service, and endpoint information for Ironic with OpenStack admin credential.
openstack user create --password password --email [email protected] ironic
openstack role add --project service --user ironic admin
openstack service create --name ironic --description "Ironic baremetal provisioning service" baremetal
openstack endpoint create --region RegionOne baremetal admin http://controller:6385
openstack endpoint create --region RegionOne baremetal public http://controller:6385
openstack endpoint create --region RegionOne baremetal internal http://controller:6385
openstack role create baremetal_admin
openstack role create baremetal_observer
openstack project create baremetal
openstack user create --domain default --project-domain default --project baremetal --password password baremetal_demo
openstack role add --user-domain default --project-domain default --project baremetal --user baremetal_demo baremetal_observer
Installation
sudo apt install ironic-api
Configuration
In /etc/ironic/ironic.conf:
[DEFAULT]
auth_strategy=keystone
enabled_network_interfaces = noop,flat,neutron
default_network_interface = neutron
debug = true
log_dir=/var/log/ironic
transport_url = rabbit://openstack:password@controller
[agent]
[amt]
[api]
[audit]
[cimc]
[cisco_ucs]
[conductor]
[console]
[cors]
[cors.subdomain]
[database]
connection=mysql+pymysql://ironic:password@controller/ironic?charset=utf8
[deploy]
[dhcp]
[disk_partitioner]
[disk_utils]
[drac]
[glance]
[iboot]
[ilo]
[inspector]
[ipmi]
[irmc]
[ironic_lib]
[iscsi]
[keystone]
[keystone_authtoken]
auth_type=password
auth_uri=http://controller:5000
auth_url=http://controller:35357
project_domain_name=Default
user_domain_name=Default
project_name=service
username=ironic
password=password
[matchmaker_redis]
[metrics]
[metrics_statsd]
[neutron]
[oneview]
[oslo_concurrency]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_policy]
[pxe]
[seamicro]
[service_catalog]
[snmp]
[ssh]
[ssl]
[swift]
[virtualbox]
In /etc/nova/nova.conf:
...
scheduler_host_manager=ironic_host_manager
ram_allocation_ratio=1.0
reserved_host_memory_mb=0
scheduler_use_baremetal_filters=True
scheduler_tracks_instance_changes=False
scheduler_host_subset_size=9999999
firewall_driver = nova.virt.firewall.NoopFirewallDriver
...
Prepare Provisioning/Cleaning Network
On controller node, we need two additional NICs for this feature to work. Both NICs must connect to the same L2 network as our baremetal nodes reside. One for making Linux bridge under Neutron’s control (ens21), the other for Ironic API access endpoint in baremetal network (ens22).
In /etc/neutron/plugins/ml2/ml2_conf.ini:
[ml2_type_flat]
flat_networks = external,flat
In /etc/neutron/plugins/ml2/linuxbridge_agent.ini:
[linux_bridge]
physical_interface_mappings = external:ens19,vlan:ens20,flat:ens21
Restart related Neutron services.
sudo systemctl restart neutron-linuxbridge-agent.service
sudo systemctl restart neutron-server.service
Create Neutron network for baremetal provisioning/cleaning purposes which is in flat type.
neutron net-create baremetal-net --shared --provider:network_type flat --provider:physical_network flat
neutron subnet-create baremetal-net 100.74.41.0/24 --name baremetal-subnet --ip-version=4 --gateway=100.74.41.254 --allocation-pool start=100.74.41.200,end=100.74.41.250 --enable-dhcp
Set up the other NIC for later baremetal nodes API accessing.
sudo ip addr add 100.74.41.200/24 dev ens22
sudo ip link set up dev ens22
Edit /etc/network/interfaces to make the network configuration persistent.
Ironic Conductor
In this installation guide, there is a dedicate node for Ironic conductor.
Installation
sudo apt install ironic-conductor
Configuration
In /etc/ironic/ironic.conf:
[DEFAULT]
auth_strategy = keystone
enabled_drivers = pxe_ipmitool
enabled_network_interfaces = noop,flat,neutron
default_network_interface = neutron
my_ip=100.74.41.124
log_dir=/var/log/ironic
transport_url = rabbit://openstack:password@controller
[agent]
[amt]
[api]
[audit]
[cimc]
[cisco_ucs]
[conductor]
api_url=http://100.74.41.200:6385
[console]
[cors]
[cors.subdomain]
[database]
connection=mysql+pymysql://ironic:password@controller/ironic?charset=utf8
[deploy]
erase_devices_priority = 0
[dhcp]
[disk_partitioner]
[disk_utils]
[drac]
[glance]
glance_host=controller
[iboot]
[ilo]
[inspector]
enabled = True
service_url = http://ironic:5050
[ipmi]
[irmc]
[ironic_lib]
[iscsi]
[keystone]
[keystone_authtoken]
auth_type=password
auth_url=http://controller:5000
username=ironic
password=password
project_name=service
project_domain_name=Default
user_domain_name=Default
[matchmaker_redis]
[metrics]
[metrics_statsd]
[neutron]
cleaning_network_uuid = 28791788-59d7-4346-89aa-6f895b523c0c
provisioning_network_uuid = 28791788-59d7-4346-89aa-6f895b523c0c
[oneview]
[oslo_concurrency]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_host=controller
[oslo_messaging_zmq]
[oslo_policy]
[pxe]
pxe_append_params = coreos.autologin sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkgolYx6IoPSYnhZMdGivUJOm4AMtI0gkjFkY/53V4idbliQHAMJHGdMGYdlEm5ThOCw3DDblsQDNy7EZJaa9+T1imwrnUg0fYU13u+Tfq7Fg+TIn4hf4uG/ei2r1MLp2/lO/6dEPUGv2TiBQ+SVfB8yt2IUVIGgqNhGWJi/p5uw9O5KiAPN1UmT3CvpWYVFnfqvnDwnOMJkXg9xN8AbTkAHS1YDIljNMwBisaOvI5cjgZ5a+ovp2pdHBxZWyPAb7Y5NvlQHGtJQIlbWTcxIBu8/1YPbZlkTcgB0ghDf0upgKunqFHh/Zq3sdEEUyQ2Xr6qdVyaXwNQJhV8Kge196r ubuntu@controller" ipa-debug=1
[seamicro]
[service_catalog]
[snmp]
[ssh]
[ssl]
[swift]
[virtualbox]
To accelerate cleaning process, disable disk erasure in default cleaning steps.
Cleaning ATA disks which do not support cryptographic secure erase could be
extremely time consuming. In /etc/ironic/ironic.conf:
[deploy]
erase_devices_priority=0
Setting Provisioning/Cleaning Network
Of course you can specify different networks for provisioning and cleaning, but
in our case we’ll use the same network created above. Update the following
configuration in /etc/ironic/ironic.conf:
[neutron]
cleaning_network_uuid = 28791788-59d7-4346-89aa-6f895b523c0c
provisioning_network_uuid = 28791788-59d7-4346-89aa-6f895b523c0c
Restart Ironic conductor service.
sudo systemctl restart ironic-conductor.service
Ironic Python Agent (IPA)
In this guide we’ll build CoreOS version IPA image. So a Docker-ready environment is essential. There’s another way to build IPA images, please refer to Diskimage-builder.
Prerequisites
We’re building IPA image in CentOS 6.9 environment just because in our environment it has Docker client installed and there is a well-configured 3-node Docker Swarm for the use. But the default Python interpreter came along with the OS is relatively outdated:
# python -V
Python 2.6.6
Upgrading Python without touching the one system uses could be simple. Download the source tarball and start compiling:
# yum install gcc findutils grep gpg util-linux
# wget https://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz
# tar -zxf Python-2.7.10.tgz
# cd Python-2.7.10/
# ./configure
# make altinstall
# ln -s /usr/local/bin/python2.7 /usr/local/bin/python
# python -V
Python 2.7.10
Image Building
git clone https://git.openstack.org/openstack/ironic-python-agent.git
cd ironic-python-agent/
git checkout tags/newton-eol -b newton-eol
cd imagebuild/coreos/
make
Gaining Access to IPA on a Node
Here we’ll use CoreOS for illustration.
Add sshkey="ssh-rsa AAAA..." to pxe_append_params setting in ironic.conf
file then restart Ironic conductor service. After that you’re able to ssh core@<ip-address-of-node>.
On the other hand, if you want to access IPA via console, just simply add
coreos.autologin to pxe_append_params setting in `ironic.conf then restart
Ironic conductor service.
Set IPA to debug logging
Add ipa-debug=1 to pxe_append_params setting in ironic.conf file then
restart Ironic conductor service. IPA logs could be found with:
sudo journalctl -u ironic-python-agent.service
Network Generic Switch
In order to fully enable multi-tenancy feature provided by Ironic, one key point is Neutron support. Neutron supports multi-tenancy by nature. It creates overlay networks through various network technologies on top of provider networks. But right now baremetal multi-tenancy could only be done through VLAN segregation. And the most important, Neutron must have control over physical switches which connect the baremetal nodes. So the “Network Generic Switch” mechanism driver comes to help!
Source Modification
Just before the installation, we have to modify the source code for it to work as expected.
git clone https://github.com/openstack/networking-generic-switch.git
cd networking-generic-switch/
git checkout tags/newton-eol -b newton-eol
In networking_generic_switch/generic_switch_mech.py, there are two places to
modify. Change the default VLAN ID 1 to the actual VLAN ID you use in your
deployment. In our case it is VLAN ID 41.
def delete_port_postcommit(self, context):
...
# If segmentation ID is None, set vlan 41
if not segmentation_id:
segmentation_id = '41'
...
def bind_port(self, context):
...
# If segmentation ID is None, set vlan 41
if not segmentation_id:
segmentation_id = '41'
...
If you don’t do this, Neutron will not know what VLAN ID is for provisioning/cleaning network (flat type), and it defaults to VLAN ID 1 which breaks the provisioning/cleaning actions.
Installation
sudo python setup.py install
sudo pip install netmiko==0.5.0
Configuration
/etc/neutron/plugins/ml2/ml2_conf.ini:
[ml2]
mechanism_drivers = linuxbridge,genericswitch
/etc/neutron/plugins/ml2/ml2_conf_genericswitch.ini:
[genericswitch:Catalyst-202]
device_type = netmiko_cisco_ios
username = admin
password = password
secret = password
ip = 100.74.49.202
[genericswitch:Catalyst-203]
device_type = netmiko_cisco_ios
username = admin
password = password
secret = password
ip = 100.74.49.203
Restart neutron-server.
Ironic Inspector
Prerequisites
In order to use Ironic Inspector with OpenStack client, we need to create service endpoint for it.
openstack user create --domain default --password-prompt ironic-inspector
openstack role add --project service --user ironic-inspector admin
openstack service create --name ironic-inspector --description "Ironic baremetal discovery service" baremetal-introspection
openstack endpoint create --region RegionOne baremetal-introspection admin http://ironic:5050
openstack endpoint create --region RegionOne baremetal-introspection public http://ironic:5050
openstack endpoint create --region RegionOne baremetal-introspection internal http://ironic:5050
Installation
Install Ironic Inspector and Dnsmasq on Ironic (conductor) node.
sudo apt install ironic-inspector python-memcache dnsmasq
Install Ironic Inspector client package on controller (for openstack baremetal introspection command to work) and conductor (for openstack baremetal node inspect command to work) node.
sudo apt install python-ironic-inspector-client
Configuration
/etc/ironic/ironic.conf
/etc/ironic-inspector/inspector.conf:
[DEFAULT]
rootwrap_config = /etc/ironic-inspector/rootwrap.conf
[capabilities]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://ironic_inspector:password@controller/ironic_inspector?charset=utf8
[discoverd]
[discovery]
enroll_node_driver = pxe_ipmitool
[firewall]
dnsmasq_interface = ens19
[ironic]
auth_url = http://controller:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = ironic
password = password
[keystone_authtoken]
memcached_servers = controller:11211
auth_uri = http://controller:5000
auth_url = http://controller:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = ironic-inspector
password = password
[pci_devices]
[processing]
add_ports = all
keep_ports = present
processing_hooks = $default_processing_hooks,local_link_connection
ramdisk_logs_dir = /var/log/ironic-inspector/ramdisk
node_not_found_hook = enroll
[swift]
Add the following line in /etc/default/dnsmasq to prevent Dnsmasq overwriting
the original nameserver in /etc/resolv.conf, otherwise it will break your
Internet name resolution.
DNSMASQ_EXCEPT=lo
/etc/dnsmasq.conf:
port=0
interface=ens19
bind-interfaces
dhcp-range=100.74.41.151,100.74.41.200
enable-tftp
tftp-root=/tftpboot
dhcp-boot=pxelinux.0
/tftpboot/pxelinux.cfg/default:
default introspect
label introspect
kernel /tftpboot/images/coreos_production_pxe.vmlinuz
append initrd=/tftpboot/images/coreos_production_pxe_image-oem.cpio.gz selinux=0 disk= ipa-inspection-callback-url=http://100.74.41.124:5050/v1/continue ipa-inspection-collectors=default,logs ipa-collect-lldp=1 ironic_api_url= troubleshoot=0 text coreos.autologin boot_option= ipa-api-url=http://100.74.41.200:6385 ipa-driver-name=pxe_ipmitool boot_mode= coreos.configdrive=0 ipa-debug=1
ipappend 3
Prepare IPA ramdisk under /tftpboot/images directory for PXE booting.
sudo systemctl restart ironic-conductor.service
sudo systemctl restart dnsmasq.service
sudo -u ironic-inspector ironic-inspector --config-file /etc/ironic-inspector/inspector.conf
Ironic Operation Guide
Flavor Creation
CPU=2
RAM_MB=1024
DISK_GB=100
ARCH=x86_64
nova flavor-create my-baremetal-flavor auto $RAM_MB $DISK_GB $CPU
nova flavor-key my-baremetal-flavor set cpu_arch=$ARCH
nova flavor-key my-baremetal-flavor set capabilities:boot_option="local"
Image Preparation
Upload deploy images:
glance image-create --name deploy-coreos-vmlinuz --visibility public --disk-format aki --container-format aki < coreos_production_pxe.vmlinuz
glance image-create --name deploy-coreos-initrd --visibility public --disk-format ari --container-format ari < coreos_production_pxe_image-oem.cpio.gz
Upload user images:
glance image-create --name my-kernel --visibility public --disk-format aki --container-format aki < my-image.vmlinuz
MY_VMLINUZ_UUID="b332e81d-bd3d-4c24-8d84-83292514eecc"
glance image-create --name my-image.initrd --visibility public --disk-format ari --container-format ari < my-image.initrd
MY_INITRD_UUID="801c428e-561d-4b32-94d0-125eab9ff75b"
glance image-create --name my-image --visibility public --disk-format qcow2 --container-format bare --property kernel_id=$MY_VMLINUZ_UUID --property ramdisk_id=$MY_INITRD_UUID < my-image.qcow2
Enrolment
Manual Enrolment
Use OpenStack admin credential.
export IRONIC_API_VERSION=1.20
export OS_BAREMETAL_API_VERSION=1.20
$ ironic node-create -d pxe_ipmitool -n hp-11
$ ironic node-update hp-11 add \
driver_info/ipmi_username=Administrator \
driver_info/ipmi_password=Z6GRK2G8 \
driver_info/ipmi_address=100.74.41.11 \
driver_info/ipmi_terminal_port=623
$ ironic node-update hp-11 add \
driver_info/deploy_kernel=d891d03d-54df-4892-ac35-fb89221f6fd9 \
driver_info/deploy_ramdisk=d5dc5a93-d07c-4391-afa5-9dd568724e3a
$ ironic node-update hp-11 add \
properties/cpus=2 \
properties/memory_mb=32768 \
properties/local_gb=1024 \
properties/cpu_arch=x86_64 \
properties/capabilities="boot_option:local"
$ ironic node-update hp-11 add \
instance_info/ramdisk=801c428e-561d-4b32-94d0-125eab9ff75b \
instance_info/kernel=b332e81d-bd3d-4c24-8d84-83292514eecc \
instance_info/image_source=dfab5186-682e-48d4-9427-7ac07dea3ace \
instance_info/root_gb=50
$ ironic port-create -n fed2481a-7cc2-459d-b9cd-4c74b722c59a -a 98:f2:b3:3f:f4:6c \
-l switch_id=00:5f:86:13:db:80 \
-l switch_info=Catalyst-203 \
-l port_id=Gi1/0/31 \
--pxe-enabled true
$ ironic node-validate fed2481a-7cc2-459d-b9cd-4c74b722c59a
+------------+--------+---------------+
| Interface | Result | Reason |
+------------+--------+---------------+
| boot | True | |
| console | True | |
| deploy | True | |
| inspect | None | not supported |
| management | True | |
| network | True | |
| power | True | |
| raid | True | |
+------------+--------+---------------+
Automated Enrolment (Inspect)
Just simply power on the baremetal nodes, Ironic inspector will handle the rest of it.
For the record, Ironic inspector has not yet supported the use of port scheme
in introspection rule by newton version. That is, admin cannot configure extra
information like local_link_connection with introspection rule. Ironic
inspector default plugin includes local_link_connection
Manageable
ironic node-set-provision-state hp-11 manage
Cleaning
Automated Cleaning
ironic node-set-provision-state hp-11 provide
Manual Cleaning
ironic node-set-provision-state hp-11 clean \
--clean-steps '[{"interface": "deploy", "step": "erase_devices_metadata"}]'
Workload
nova boot --flavor my-baremetal-flavor --image my-image --nic net-id=070c1b6d-3777-416a-a971-4216dce67b1a --key my-key test-baremetal
Appendix
Diskimage-Builder
yum install squashfs-tools
pip install diskimage-builder
DIB_DEV_USER_USERNAME=user DIB_DEV_USER_PASSWORD=password DIB_DEV_USER_PWDLESS_SUDO=yes disk-image-create ironic-agent ubuntu devuser proliant-tools -o ironic-agent