Skip to content

dtantsur/ironic-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

doc

doc

 
 

ironic_proxy

ironic_proxy

 
 

.coveragerc

.coveragerc

 
 

.gitignore

.gitignore

 
 

.stestr.conf

.stestr.conf

 
 

HACKING.rst

HACKING.rst

 
 

LICENSE

LICENSE

 
 

README.rst

README.rst

 
 

requirements.txt

requirements.txt

 
 

setup.cfg

setup.cfg

 
 

setup.py

setup.py

 
 

test-requirements.txt

test-requirements.txt

 
 

tox.ini

tox.ini

 
 

Repository files navigation

ironic-proxy

Experimental proxy for Bare Metal API.

Warning

This is a proof-of-concept. DO NOT USE IN PRODUCTION!

Overview

The proxy works by delegating requests to remove Ironic instances, distinguished by a conductor group:

  • When creating a node, it's conductor group (defaulting to the empty string) is used to find the target installation.
  • When doing actions on an existing node, the node is found by polling all sources. The node-to-group mapping is then cached for the runtime of the service.
  • When listing all nodes, the listings from all sources are merged.

Status

Implemented API:

  • Version discovery.
  • All nodes operations.

Pretends to support the set of microversions common between all sources.

Architecture

This one of the possible Edge architectures with ironic-proxy:

baremetal API    image API
     +               +

Hub | | +------------------------------------------+ | | | | | v v | | keystone <---+ ironic-proxy +---> glance | | + ^ | +------------------------------------------+ | |

+<------------+<---------+ +------------->+ | | |

+-------------------------------------+ +-------------------------------------+ | | | | | | | | v v + | | | | keystone <---+ ir-api +---> ir-cond | | keystone <---+ ir-api +---> ir-cond | | ^ ^ | | | | local DHCP | | | | | | ^ | | | | | +-------------------------------------+ +-------------------------------------+ Edge | | | Edge +<-------+ | +--------->+ | | | +-------+ +-+-+-+-+ +-------+ +-------+ +-------+ +-------+ | | | | | | | | | | | | +-------+ +-------+ +-------+ +-------+ +-------+ +-------+ Nodes Nodes

Notes:

  • The Hub and Edge locations do not share message queue and database.

  • The Network service (neutron) is not present, since it would require stretching message queue and database between the locations. Instead, a local DHCP server is used, and ironic is configured with the noop network interface.

    Note

    A tool like cloud-init or os-net-config can be used for post-deploy networking configuration.

  • The Compute service (nova) can be used in theory, but its dependency on neutron is an issue. Neutron can be deployed and used by nova, but no networking configuration will be coming from it.

    The Metadata API cannot be used, a configdrive must be used instead.

  • Each location has its own Identity service (keystone) installation.

  • However, ironic-conductor at each Edge is configured to access the Image service (glance) at the Hub location.

    Note

    This is possible because ironic configures credentials for each service it uses separately.

    With the iscsi deploy interface, images will be served from the ironic-conductor location via iSCSI.

    With the direct deploy interface, ironic has to be configured with image_download_source=http to make sure images are served from the local HTTP server.

Configuration

First, map all possible conductor groups to sources:

[DEFAULT]
groups = _:loc1,grp1:loc2,grp2:loc1

This maps the default group and group grp2 to location loc1, while the group grp1 is mapped to loc2.

Note

The default group is designated as the underscore.

Then define the credentials to access every location, for example:

[group:loc1]
auth_type = password
auth_url = http://192.168.42.1/identity
username = ironic
user_domain_id = default
password = pa$$w0rd
project_name = service
project_domain_id = default

Finally, configure API for authentication if needed:

[api]
auth_strategy = keystone

[keystone_authtoken]
auth_type = password
auth_url = http://192.168.42.1/identity
www_authenticate_uri = http://192.168.42.1/identity
username = ironic
user_domain_id = default
password = pa$$w0rd
project_name = service
project_domain_id = default

Use the following to disable authentication (dangerous):

[api]
auth_strategy = none

Running

Production

Run the WSGI application ironic_proxy.wsgi:application. For example, with uwsgi create the following configuration file:

[uwsgi]
module = ironic_proxy.wsgi
; Adjust to listen on correct host/port
http = 127.0.0.1:5000
; Tell ironic-proxy the location of the configuration file
pyargv = --config-file /path/to/config/file
; Required since ironic-proxy itself uses threads
enable-threads = true
; Adjust number of processes and/or threads as needed
processes = 4
; Set if you're running ironic-proxy from a virtualenv
;virtualenv = /path/to/virtualenv

Then starts with:

uwsgi /path/to/uwsgi/config

Development

You can run ironic-proxy with non-production development server via:

tox -evenv -- python -m ironic_proxy.api --config-file /path/to/config/file

About

Experimental proxy for Bare Metal API

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages