-
Notifications
You must be signed in to change notification settings - Fork 112
/
ironic.conf.j2
227 lines (208 loc) · 9.65 KB
/
ironic.conf.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
[DEFAULT]
auth_strategy = noauth
debug = true
default_deploy_interface = direct
default_inspect_interface = inspector
default_network_interface = noop
enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
# NOTE(dtantsur): when changing this, make sure to update the driver
# dependencies in Dockerfile.
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,ibmc,manual-management,ilo,ilo5
enabled_inspect_interfaces = inspector,idrac,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,idrac,irmc,fake,redfish,idrac-redfish,ibmc,ilo,ilo5,noop
enabled_power_interfaces = ipmitool,idrac,irmc,fake,redfish,idrac-redfish,ibmc,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,ibmc,idrac-wsman,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac,idrac-redfish,redfish,ilo,fake,ibmc
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
rpc_transport = json-rpc
{% else %}
rpc_transport = none
{% endif %}
use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256
my_ip = {{ env.IRONIC_IP }}
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
# If we run both API and conductor in the same pod, use localhost
host = localhost
{% else %}
host = {{ env.IRONIC_URL_HOST }}
{% endif %}
# If a path to a certificate is defined, use that first for webserver
{% if env.WEBSERVER_CACERT_FILE %}
webserver_verify_ca = {{ env.WEBSERVER_CACERT_FILE }}
{% elif env.IRONIC_INSECURE == "true" %}
webserver_verify_ca = false
{% endif %}
isolinux_bin = /usr/share/syslinux/isolinux.bin
# NOTE(dtantsur): this path is specific to the GRUB image that is built into
# the ESP provided in [conductor]bootloader.
grub_config_path = EFI/centos/grub.cfg
[agent]
deploy_logs_collect = always
deploy_logs_local_path = /shared/log/ironic/deploy
# NOTE(dtantsur): in some environments temporary networking issues can cause
# the whole deployment to fail on inability to reach the ramdisk. Increasing
# retries here works around such problems without affecting the normal path.
# See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
max_command_attempts = 30
[api]
{% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
unix_socket = /shared/ironic.sock
# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
# another container, we need to make it world-writeable.
unix_socket_mode = 0666
{% else %}
host_ip = 127.0.0.1
port = {{ env.IRONIC_PRIVATE_PORT }}
{% endif %}
public_endpoint = {{ env.IRONIC_BASE_URL }}
{% else %}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
port = {{ env.IRONIC_LISTEN_PORT }}
{% if env.IRONIC_TLS_SETUP == "true" %}
enable_ssl_api = true
{% endif %}
{% endif %}
api_workers = {{ env.NUMWORKERS }}
[conductor]
automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}
# NOTE(dtantsur): keep aligned with [pxe]boot_retry_timeout below.
deploy_callback_timeout = 4800
send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# NOTE(TheJulia): Do not lower this value below 120 seconds.
# Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds.
send_sensor_data_interval = 160
bootloader = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/uefi_esp.img
verify_step_priority_override = management.clear_job_queue:90
# We don't use this feature, and it creates an additional load on the database
node_history = False
# Provide for a timeout longer than 60 seconds for certain vendor's hardware
power_state_change_timeout = 120
[database]
{% if env.IRONIC_USE_MARIADB | lower == "false" %}
connection = sqlite:////var/lib/ironic/ironic.sqlite
# Synchronous mode is required for data integrity in case of operating system
# crash. In our case we restart the container from scratch, so we can save some
# IO by not doing syncs all the time.
sqlite_synchronous = False
{% elif env.MARIADB_TLS_ENABLED == "true" %}
connection = mysql+pymysql://ironic:{{ env.MARIADB_PASSWORD }}@127.0.0.1/ironic?charset=utf8&ssl=on&ssl_ca={{ env.MARIADB_CACERT_FILE }}
{% else %}
connection = mysql+pymysql://ironic:{{ env.MARIADB_PASSWORD }}@127.0.0.1/ironic?charset=utf8
{% endif %}
[deploy]
default_boot_option = local
erase_devices_metadata_priority = 10
erase_devices_priority = 0
http_root = /shared/html/
http_url = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
fast_track = {{ env.IRONIC_FAST_TRACK }}
{% if env.IRONIC_BOOT_ISO_SOURCE %}
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
{% endif %}
{% if env.IRONIC_EXTERNAL_HTTP_URL %}
external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %}
external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }}
{% endif %}
{% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
{% endif %}
[dhcp]
dhcp_provider = none
[inspector]
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
{% endif %}
# NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
# Also keep in mind that only parameters unique for inspection go here.
# No need to duplicate pxe_append_params/kernel_append_params.
extra_kernel_params = ipa-inspection-collectors=default,extra-hardware,logs ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
{% endif %}
[ipmi]
# use_ipmitool_retries transfers the responsibility of retrying to ipmitool
# when supported. If set to false, then ipmitool is called as follows :
# $ipmitool -R 1 -N 1 ...
# and Ironic handles the retry loop.
use_ipmitool_retries = false
# The following parameters are the defaults in Ironic. They are used in the
# following way if use_ipmitool_retries is set to true:
# $ipmitool -R <X> -N <Y> ...
# where :
# X = command_retry_timeout / min_command_interval
# Y = min_command_interval
# If use_ipmitool_retries is false, then ironic retries X times, with an
# interval of Y in between each tries.
min_command_interval = 5
command_retry_timeout = 60
# List of possible cipher suites versions that can be
# supported by the hardware in case the field `cipher_suite`
# is not set for the node. (list value)
cipher_suite_versions = 3,17
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
[json_rpc]
# We assume that when we run API and conductor in the same container, they use
# authentication over localhost, using the same credentials as API, to prevent
# unauthenticated connections from other processes in the same host since the
# containers are in host networking.
auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
host_ip = localhost
{% else %}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
{% endif %}
{% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }}
insecure = {{ env.IRONIC_INSECURE }}
{% endif %}
{% endif %}
[oslo_messaging_notifications]
driver = prometheus_exporter
location = /shared/ironic_prometheus_exporter
transport_url = fake://
[pxe]
# NOTE(dtantsur): keep this value at least 3x lower than
# [conductor]deploy_callback_timeout so that at least some retries happen.
# The default settings enable 3 retries after 20 minutes each.
boot_retry_timeout = 1200
images_path = /shared/html/tmp
instance_master_path = /shared/html/master_images
tftp_master_path = /shared/tftpboot/master_images
tftp_root = /shared/tftpboot
kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
# This makes networking boot templates generated even for nodes using local
# boot (the default), ensuring that they boot correctly even if they start
# netbooting for some reason (e.g. with the noop management interface).
enable_netboot_fallback = true
# Enable the fallback path to ironic-inspector
ipxe_fallback_script = inspector.ipxe
[redfish]
use_swift = false
kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
[ilo]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
[irmc]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }}
[service_catalog]
endpoint_override = {{ env.IRONIC_BASE_URL }}
{% if env.IRONIC_TLS_SETUP == "true" %}
[ssl]
cert_file = {{ env.IRONIC_CERT_FILE }}
key_file = {{ env.IRONIC_KEY_FILE }}
{% endif %}