openstack
/
ironic
Code Issues Proposed changes
ironic/doc/source/install/include/configure-ironic-conductor.rst

6.6 KiB
Raw Blame History

Configuring ironic-conductor service

  1. Replace HOST_IP with IP of the conductor host.

    [DEFAULT]

# IP address of this host. If unset, will determine the IP
# programmatically. If unable to do so, will use "127.0.0.1".
# (string value)
my_ip=HOST_IP

    Note

    If a conductor host has multiple IPs, my_ip should be set to the IP which is on the same network as the bare metal nodes.

  2. Configure the location of the database. Ironic-conductor should use the same configuration as ironic-api. Replace IRONIC_DBPASSWORD with the password of your ironic user, and replace DB_IP with the IP address where the DB server is located:

    [database]

# The SQLAlchemy connection string to use to connect to the
# database. (string value)
connection=mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic?charset=utf8

  3. Configure the ironic-conductor service to use the RabbitMQ message broker by setting the following option. Ironic-conductor should use the same configuration as ironic-api. Replace RPC_* with appropriate address details and credentials of RabbitMQ server:

    [DEFAULT]

# A URL representing the messaging driver to use and its full
# configuration. (string value)
transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/

  4. Configure credentials for accessing other OpenStack services.

    In order to communicate with other OpenStack services, the Bare Metal service needs to use service users to authenticate to the OpenStack Identity service when making requests to other services. These users' credentials have to be configured in each configuration file section related to the corresponding service:

    • [neutron] - to access the OpenStack Networking service
    • [glance] - to access the OpenStack Image service
    • [swift] - to access the OpenStack Object Storage service
    • [inspector] - to access the OpenStack Bare Metal Introspection service
    • [service_catalog] - a special section holding credentials the Bare Metal service will use to discover its own API URL endpoint as registered in the OpenStack Identity service catalog.

    For simplicity, you can use the same service user for all services. For backward compatibility, this should be the same user configured in the [keystone_authtoken] section for the ironic-api service (see "Configuring ironic-api service"). However, this is not necessary, and you can create and configure separate service users for each service.

    Under the hood, Bare Metal service uses keystoneauth library together with Authentication plugin and Session concepts provided by it to instantiate service clients. Please refer to Keystoneauth documentation for supported plugins, their available options as well as Session-related options for authentication and connection respectively.

    In the example below, authentication information for user to access the OpenStack Networking service is configured to use:

    • HTTPS connection with specific CA SSL certificate when making requests
    • the same service user as configured for ironic-api service
    • dynamic password authentication plugin that will discover appropriate version of Identity service API based on other provided options
      • replace IDENTITY_IP with the IP of the Identity server, and replace IRONIC_PASSWORD with the password you chose for the ironic user in the Identity service
    [neutron]

# Authentication type to load (string value)
auth_type = password

# Authentication URL (string value)
auth_url=https://IDENTITY_IP:5000/

# Username (string value)
username=ironic

# User's password (string value)
password=IRONIC_PASSWORD

# Project name to scope to (string value)
project_name=service

# Domain ID containing project (string value)
project_domain_id=default

# User's domain id (string value)
user_domain_id=default

# PEM encoded Certificate Authority to use when verifying
# HTTPs connections. (string value)
cafile=/opt/stack/data/ca-bundle.pem

  5. Notes for configuring the Image service access

    Note

    Swift backend for the Image service must be installed and configured for agent_* drivers. Ceph Object Gateway (RADOS Gateway) is also supported as the Image service's backend (radosgw support).

    Configure the ironic-conductor service to use specific Image service endpoints - only if you do not want to use Image service endpoint discovery from the keystone service catalog. Replace <GLANCE_SERVICE_URL> with the address of the image service API:

    [glance]
endpoint_override = <GLANCE_SERVICE_URL>

  6. Notes for configuring the Network service access

    Note

    To configure the network for ironic-conductor service to perform node cleaning, see cleaning from the admin guide.

    Set a specific URL (replace NETWORKING_SERVICE_ENDPOINT) for connecting to the Networking service, to be the Networking service endpoint - only for the case when you do not want to use discovery of Networking service endpoint from keystone service catalog:

    [neutron]

# URL for connecting to neutron. (string value)
endpoint_override = <NETWORKING_SERVICE_ENDPOINT>

  7. Configure a specific ironic-api service URL - only if you do not want to use discovery of the Baremetal service endpoint from keystone catalog (for example when having deployed two separate pools of ironic-api services for security reasons). Replace IRONIC_API_IP with IP of specific ironic-api service as follows:

    [conductor]

# URL of Ironic API service. If not set ironic can get the
# current value from the keystone service catalog. (string
# value)
endpoint_override=http://IRONIC_API_IP:6385

  8. Configure enabled drivers and hardware types as described in /install/enabling-drivers.

  9. Restart the ironic-conductor service:

    Fedora/RHEL7/CentOS7/SUSE:
  sudo systemctl restart openstack-ironic-conductor

Ubuntu:
  sudo service ironic-conductor restart