Install and configure for Red Hat Enterprise Linux and CentOS

admin

This section describes how to install and configure the Bare Metal service for Red Hat Enterprise Linux 7 and CentOS 7.

: B! _! T; w* ]5 vInstall and configure prerequisites¶
The Bare Metal service is a collection of components that provides support to manage and provision physical machines. You can configure these components to run on separate nodes or the same node. In this guide, the components run on one node, typically the Compute Service’s compute node.
( @& ~3 E: ?* A6 [7 @, {( d
. F0 I- R9 G% U" e: NIt assumes that the Identity, Image, Compute, and Networking services have already been set up.
1 n% H* Z3 ?* B3 e
6 U, d& v, a+ V9 K, B, SSet up the database for Bare Metal¶
- b# Z, {0 H. Q8 `The Bare Metal service stores information in a database. This guide uses the MySQL database that is used by other openstack services.

In MySQL, create an ironic database that is accessible by the ironic user. Replace IRONIC_DBPASSWORD with a suitable password:

# mysql -u root -p
mysql> CREATE DATABASE ironic CHARACTER SET utf8;
+ l' O/ T. h6 y/ y, ~6 y! k8 N8 p" dmysql> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'localhost' \
4 h* Q% F) H/ R, x* H       IDENTIFIED BY 'IRONIC_DBPASSWORD';
mysql> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'%' \
       IDENTIFIED BY 'IRONIC_DBPASSWORD';
Install and configure components¶
7 j( X& E2 I1 k2 h/ s" uInstall from packages
) f4 D" G1 |  q5 h
Using dnf
+ W4 W! G! w! F' h2 A
3 j/ ^" W) b- ?- {8 r7 K' l# dnf install openstack-ironic-api openstack-ironic-conductor python-ironicclient
Using yum

# yum install openstack-ironic-api openstack-ironic-conductor python-ironicclient
6 M& i4 H/ a2 @- ^Enable services
$ `6 y# i& B  X# r/ G% [6 O
1 l+ Z% R1 `, G" H  ~# _# systemctl enable openstack-ironic-api openstack-ironic-conductor
# systemctl start openstack-ironic-api openstack-ironic-conductor
The Bare Metal service is configured via its configuration file. This file is typically located at /etc/ironic/ironic.conf.
! r9 l2 r8 a: ?% `- @* V2 d
- P9 l1 x* ^* T  jAlthough some configuration options are mentioned here, it is recommended that you review all the Sample Configuration File so that the Bare Metal service is configured for your needs.

5 G  d: T" S( ?3 q3 ZIt is possible to set up an ironic-api and an ironic-conductor services on the same host or different hosts. Users also can add new ironic-conductor hosts to deal with an increasing number of bare metal nodes. But the additional ironic-conductor services should be at the same version as that of existing ironic-conductor services.
7 z' a  T2 m$ U8 s
Configuring ironic-api service¶
6 @: ^" T% k+ [The Bare Metal service stores information in a database. This guide uses the MySQL database that is used by other OpenStack services.
5 R$ @/ c1 k, d  K3 C. M# v
Configure the location of the database via the connection option. In the following, replace IRONIC_DBPASSWORD with the password of your ironic user, and replace DB_IP with the IP address where the DB server is located:
, p3 ]  q+ m* X+ y: a' O
[database]

/ M7 x% s# Q( g0 _$ `8 Y# The SQLAlchemy connection string used to connect to the
# database (string value)
& Y! _. b; [; I$ S$ N& J3 @2 |  a$ aconnection=mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic?charset=utf8
2 Z  b. ^/ B) O% S, S4 \# `' IConfigure the ironic-api service to use the RabbitMQ message broker by setting the following option. Replace RPC_* with appropriate address details and credentials of RabbitMQ server:

! o- [, r+ E( f- W" Q[DEFAULT]

# A URL representing the messaging driver to use and its full
" l! u" I& O% U- s# configuration. (string value)
transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/
$ W- I$ e" r1 V1 J) u- ?Configure the ironic-api service to use these credentials with the Identity service. Replace PUBLIC_IDENTITY_IP with the public IP of the Identity server, PRIVATE_IDENTITY_IP with the private IP of the Identity server and replace IRONIC_PASSWORD with the password you chose for the ironic user in the Identity service:
* ^% i* L( u% G0 d+ f! j
[DEFAULT]

6 \2 \' ]0 Q+ z# Authentication strategy used by ironic-api: one of
* G$ x; \" Q; V5 \# "keystone" or "noauth". "noauth" should not be used in a
) I& i% p$ K/ [# production environment because all authentication will be
+ l" V7 w/ R* g) Q! O# S% `# disabled. (string value)
auth_strategy=keystone

5 d" D; a/ r3 s" c! U2 K% x[keystone_authtoken]
: W2 s8 ]& M9 l
# Authentication type to load (string value)
auth_type=password

0 h( n4 D/ O4 W: U$ h2 ~/ ?# U7 I7 h# Complete public Identity API endpoint (string value)
www_authenticate_uri=http://PUBLIC_IDENTITY_IP:5000

# Complete admin Identity API endpoint. (string value)
auth_url=http://PRIVATE_IDENTITY_IP:5000
+ ?9 u3 f$ X% A) k: r5 S6 n
# Service username. (string value)
  d  M- s" F$ a% ?6 O# M* Q( Pusername=ironic

9 s9 p/ U$ H/ y/ w# Service account password. (string value)
password=IRONIC_PASSWORD
! E% z  a* ]+ T" ^
# D/ v( K- A7 x# Service tenant name. (string value)
: ^7 W$ G2 _$ ^7 wproject_name=service
. l5 m7 t, P, q4 F
8 @: w& H% d5 R( K* S0 i; r' j) ~/ L# Domain name containing project (string value)
project_domain_name=Default

# User's domain name (string value)
* S# X* R/ s" [$ ouser_domain_name=Default
5 @7 x( Z9 Y( P3 [; qCreate the Bare Metal service database tables:
+ x6 g6 e! X; B8 Y3 l
$ ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
; K3 J( c, X2 Z# T( r' ]9 q, f; mRestart the ironic-api service:
, {3 v! o( Y8 W7 [  z
Fedora/RHEL7/CentOS7/SUSE:
8 s- T: D7 M1 w* q( u  ~+ e
5 s( z- z3 J2 E$ u/ i0 [' Dsudo systemctl restart openstack-ironic-api
Ubuntu:
5 Q3 W7 `( @% _9 S1 L
sudo service ironic-api restart
; a, S, \! d' A. x" VConfiguring ironic-api behind mod_wsgi¶
9 p  R( O0 X- v8 RBare Metal service comes with an example file for configuring the ironic-api service to run behind Apache with mod_wsgi.
5 [% _4 z! g+ ^! s7 L# G: w
" B* r0 a- N7 n; N2 V1 pInstall the apache service:

RHEL7/CentOS7:

sudo yum install httpd
8 s  b* P  Z8 O2 j0 @Fedora:
. ?3 }, p* C" C3 Q
# y% h+ c9 f/ msudo dnf install httpd
/ m, `! d" Z! ]8 }# ODebian/Ubuntu:
/ V! J/ E' E2 r1 r6 ]
apt-get install apache2
SUSE:
" S! z  }2 y! ]! R
% _/ Y: T4 U0 V+ Lzypper install apache2
Download the etc/apache2/ironic file from the Ironic project tree and copy it to the apache sites:

' S- s. |3 P" a6 r+ c/ gFedora/RHEL7/CentOS7:
  t( K: @: L% f) @% \3 h
2 F9 G: g$ E+ x& f! {+ ~5 z: M' G/ Lsudo cp etc/apache2/ironic /etc/httpd/conf.d/ironic.conf
Debian/Ubuntu:

3 g' U! Y; n6 A! j2 Nsudo cp etc/apache2/ironic /etc/apache2/sites-available/ironic.conf
SUSE:
- i: K+ o; f. s1 R/ Y' L
# [( w- d$ d4 o- w* _sudo cp etc/apache2/ironic /etc/apache2/vhosts.d/ironic.conf
7 G# w5 Y0 T# c+ V6 xEdit the recently copied <apache-configuration-dir>/ironic.conf:

7 Y- t+ u: {5 r9 @5 M( h& y: d: f# |" mModify the WSGIDaemonProcess, APACHE_RUN_USER and APACHE_RUN_GROUP directives to set the user and group values to an appropriate user on your server.
Modify the WSGIScriptAlias directive to point to the automatically generated ironic-api-wsgi script that is located in IRONIC_BIN directory.
% V) k5 b% N! x7 e; i% ^Modify the Directory directive to set the path to the Ironic API code.
$ T" D- f1 T' |/ y1 BModify the ErrorLog and CustomLog to redirect the logs to the right directory (on Red Hat systems this is usually under /var/log/httpd).
6 g, k9 x# d8 s: DEnable the apache ironic in site and reload:

) p& I5 \* M/ p$ \Fedora/RHEL7/CentOS7:

sudo systemctl reload httpd
$ I9 R* d0 m. Q1 O9 B/ `: JDebian/Ubuntu:

3 h& v3 f  F0 {sudo a2ensite ironic
sudo service apache2 reload
! u. K- h6 r0 {6 hSUSE:
$ P; k% N$ O+ [' |" c4 A# A
: N% X) I2 q+ M- @0 B- asudo systemctl reload apache2
Note

The file ironic-api-wsgi is automatically generated by pbr and is available in IRONIC_BIN directory. It should not be modified.
; c0 E$ m1 h3 V/ Q( dConfiguring ironic-conductor service¶
Replace HOST_IP with IP of the conductor host.
: F" o+ y! w" N4 H0 ]2 b6 x# V
8 z* }- G, J$ V9 M& i[DEFAULT]
# X: y7 u$ X# L9 W2 r% X
# IP address of this host. If unset, will determine the IP
# programmatically. If unable to do so, will use "127.0.0.1".
" i$ t, Q2 J1 n/ M7 E: g& b# (string value)
/ {( g* }7 l6 F% U$ F! S- H4 Imy_ip=HOST_IP
2 b! j" J% M" K4 G4 h5 b Note
' ^" P% N) V  S9 \% h
If a conductor host has multiple IPs, my_ip should be set to the IP which is on the same network as the bare metal nodes.
$ V/ j) p) w# @! x7 C1 cConfigure the location of the database. Ironic-conductor should use the same configuration as ironic-api. Replace IRONIC_DBPASSWORD with the password of your ironic user, and replace DB_IP with the IP address where the DB server is located:

[database]

# The SQLAlchemy connection string to use to connect to the
5 F3 p+ f+ Y' N0 O: i; Q$ |4 {# database. (string value)
% ~2 @7 {; n) G  fconnection=mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic?charset=utf8
Configure the ironic-conductor service to use the RabbitMQ message broker by setting the following option. Ironic-conductor should use the same configuration as ironic-api. Replace RPC_* with appropriate address details and credentials of RabbitMQ server:

[DEFAULT]

# A URL representing the messaging driver to use and its full
# configuration. (string value)
transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/
  @9 `# N5 n0 t. Y( R) k7 AConfigure credentials for accessing other OpenStack services.

$ m3 b5 t! O! d. G) uIn order to communicate with other OpenStack services, the Bare Metal service needs to use service users to authenticate to the OpenStack Identity service when making requests to other services. These users’ credentials have to be configured in each configuration file section related to the corresponding service:
! l) s. n/ p: L  U
+ J& I3 K* {; u/ t[neutron] - to access the OpenStack Networking service
[glance] - to access the OpenStack Image service
[swift] - to access the OpenStack Object Storage service
[cinder] - to access the OpenStack Block Storage service
/ S4 Q" n+ \7 Y5 a2 g: @9 [7 b[inspector] - to access the OpenStack Bare Metal Introspection service
[service_catalog] - a special section holding credentials the Bare Metal service will use to discover its own API URL endpoint as registered in the OpenStack Identity service catalog.
For simplicity, you can use the same service user for all services. For backward compatibility, this should be the same user configured in the [keystone_authtoken] section for the ironic-api service (see “Configuring ironic-api service”). However, this is not necessary, and you can create and configure separate service users for each service.
) n5 }$ Y" |/ d# X: ]: ]. W5 e
$ x( u/ I/ V7 }  _Under the hood, Bare Metal service uses keystoneauth library together with Authentication plugin, Session and Adapter concepts provided by it to instantiate service clients. Please refer to Keystoneauth documentation for supported plugins, their available options as well as Session- and Adapter-related options for authentication, connection and endpoint discovery respectively.

6 Y1 O# ]( E8 RIn the example below, authentication information for user to access the OpenStack Networking service is configured to use:

! V. C) p5 M( I( ^6 X7 }/ |* \* aNetworking service is deployed in the Identity service region named RegionTwo, with only its public endpoint interface registered in the service catalog.
: w1 q* B9 A) r$ O: DHTTPS connection with specific CA SSL certificate when making requests
the same service user as configured for ironic-api service
dynamic password authentication plugin that will discover appropriate version of Identity service API based on other provided options
9 o8 U3 f" J, ureplace IDENTITY_IP with the IP of the Identity server, and replace IRONIC_PASSWORD with the password you chose for the ironic user in the Identity service
[neutron]

9 Z. z, n% n) \; W) Z0 Q6 a7 r. J# Authentication type to load (string value)
auth_type = password
3 G0 `$ m5 U7 h- c
# Authentication URL (string value)
auth_url=https://IDENTITY_IP:5000/
5 a3 I+ Y# @, _/ a
4 }2 {( F8 o1 ]2 w# Username (string value)
username=ironic

* e; q2 G0 a* V6 s2 b# User's password (string value)
, H2 i  J3 D# J0 Gpassword=IRONIC_PASSWORD
) C% y9 |) o8 d8 l
# Project name to scope to (string value)
project_name=service

# Domain ID containing project (string value)
7 {" y$ {, S" t1 P9 n- mproject_domain_id=default

# User's domain id (string value)
user_domain_id=default

/ ]  g% g( w3 @2 R% s+ ?# PEM encoded Certificate Authority to use when verifying
' X! S$ q! z6 v, e( U1 Q# HTTPs connections. (string value)
cafile=/opt/stack/data/ca-bundle.pem

# The default region_name for endpoint URL discovery. (string
; m, [; ?0 X8 E& H/ F8 b* o2 `8 `# value)
region_name = RegionTwo

1 ?( S: t- o! ^) Y6 Z2 D0 G. J3 _- H# List of interfaces, in order of preference, for endpoint
8 [* c% N+ ?+ V1 F% A# o; J, i. F7 a# URL. (list value)
! s4 `8 N" U! Z8 A5 L: j6 pvalid_interfaces=public
  u( o5 @! u' e/ ~) V8 t, DBy default, in order to communicate with another service, the Bare Metal service will attempt to discover an appropriate endpoint for that service via the Identity service’s service catalog. The relevant configuration options from that service group in the Bare Metal service configuration file are used for this purpose. If you want to use a different endpoint for a particular service, specify this via the endpoint_override configuration option of that service group, in the Bare Metal service’s configuration file. Taking the previous Networking service example, this would be

7 Q* b0 j. q2 v- b7 L9 t# o1 N[neutron]
...
! S( d3 Z( O7 e* m2 d8 E: g# Xendpoint_override = <NEUTRON_API_ADDRESS>
(Replace <NEUTRON_API_ADDRESS> with actual address of a specific Networking service endpoint.)

Configure enabled drivers and hardware types as described in Enabling drivers and hardware types.
0 w' _% w: }* o7 F9 Z% _
* H, Q1 O5 b% c7 `If you enabled any driver that uses Direct deploy, Swift backend for the Image service must be installed and configured, see Configure the Image service for temporary URLs. Ceph Object Gateway (RADOS Gateway) is also supported as the Image service’s backend, see Ceph Object Gateway support.
, S! X3 i: y4 U) k' M% i6 C  L$ |Configure the network for ironic-conductor service to perform node cleaning, see Node cleaning from the admin guide.

Restart the ironic-conductor service:
$ c/ z4 _  U/ f0 k* T( R
: L6 r6 `1 U; B" t9 I+ ZFedora/RHEL7/CentOS7/SUSE:

1 l$ A8 |* `2 ]0 M. `. jsudo systemctl restart openstack-ironic-conductor
0 m, e0 \  r. E8 i6 LUbuntu:

sudo service ironic-conductor restart