Install and configure for Red Hat Enterprise Linux and CentOS

Install and configure for Red Hat Enterprise Linux and CentOS

This section describes how to install and configure the Bare Metal service for Red Hat Enterprise Linux 7 and CentOS 7.

Install and configure prerequisites

The Bare Metal service is a collection of components that provides support to manage and provision physical machines. You can configure these components to run on separate nodes or the same node. In this guide, the components run on one node, typically the Compute Service’s compute node.

It assumes that the Identity, Image, Compute, and Networking services have already been set up.

Set up the database for Bare Metal

The Bare Metal service stores information in a database. This guide uses the MySQL database that is used by other OpenStack services.

  1. In MySQL, create an ironic database that is accessible by the ironic user. Replace IRONIC_DBPASSWORD with a suitable password:

    # mysql -u root -p
    mysql> CREATE DATABASE ironic CHARACTER SET utf8;
    mysql> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'localhost' \
           IDENTIFIED BY 'IRONIC_DBPASSWORD';
    mysql> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'%' \
           IDENTIFIED BY 'IRONIC_DBPASSWORD';
    

Install and configure components

  1. Install from packages

    • Using dnf

      # dnf install openstack-ironic-api openstack-ironic-conductor python-ironicclient
      
    • Using yum

      # yum install openstack-ironic-api openstack-ironic-conductor python-ironicclient
      
  2. Enable services

    # systemctl enable openstack-ironic-api openstack-ironic-conductor
    # systemctl start openstack-ironic-api openstack-ironic-conductor
    

The Bare Metal service is configured via its configuration file. This file is typically located at /etc/ironic/ironic.conf.

Although some configuration options are mentioned here, it is recommended that you review all the available options so that the Bare Metal service is configured for your needs.

It is possible to set up an ironic-api and an ironic-conductor services on the same host or different hosts. Users also can add new ironic-conductor hosts to deal with an increasing number of bare metal nodes. But the additional ironic-conductor services should be at the same version as that of existing ironic-conductor services.

Configuring ironic-api service

  1. The Bare Metal service stores information in a database. This guide uses the MySQL database that is used by other OpenStack services.

    Configure the location of the database via the connection option. In the following, replace IRONIC_DBPASSWORD with the password of your ironic user, and replace DB_IP with the IP address where the DB server is located:

    [database]
    
    # The SQLAlchemy connection string used to connect to the
    # database (string value)
    connection=mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic?charset=utf8
    
  2. Configure the ironic-api service to use the RabbitMQ message broker by setting the following option. Replace RPC_* with appropriate address details and credentials of RabbitMQ server:

    [DEFAULT]
    
    # A URL representing the messaging driver to use and its full
    # configuration. (string value)
    transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/
    
  3. Configure the ironic-api service to use these credentials with the Identity service. Replace PUBLIC_IDENTITY_IP with the public IP of the Identity server, PRIVATE_IDENTITY_IP with the private IP of the Identity server and replace IRONIC_PASSWORD with the password you chose for the ironic user in the Identity service:

    [DEFAULT]
    
    # Authentication strategy used by ironic-api: one of
    # "keystone" or "noauth". "noauth" should not be used in a
    # production environment because all authentication will be
    # disabled. (string value)
    auth_strategy=keystone
    
    [keystone_authtoken]
    
    # Authentication type to load (string value)
    auth_type=password
    
    # Complete public Identity API endpoint (string value)
    auth_uri=http://PUBLIC_IDENTITY_IP:5000
    
    # Complete admin Identity API endpoint. (string value)
    auth_url=http://PRIVATE_IDENTITY_IP:35357
    
    # Service username. (string value)
    username=ironic
    
    # Service account password. (string value)
    password=IRONIC_PASSWORD
    
    # Service tenant name. (string value)
    project_name=service
    
    # Domain name containing project (string value)
    project_domain_name=Default
    
    # User's domain name (string value)
    user_domain_name=Default
    
  4. Create the Bare Metal service database tables:

    $ ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
    
  5. Restart the ironic-api service:

    Fedora/RHEL7/CentOS7:
      sudo systemctl restart openstack-ironic-api
    
    Ubuntu:
      sudo service ironic-api restart
    

Configuring ironic-api behind mod_wsgi

Bare Metal service comes with an example file for configuring the ironic-api service to run behind Apache with mod_wsgi.

  1. Install the apache service:

    Fedora 21/RHEL7/CentOS7:
      sudo yum install httpd
    
    Fedora 22 (or higher):
      sudo dnf install httpd
    
    Debian/Ubuntu:
      apt-get install apache2
    
  2. Copy the etc/apache2/ironic file under the apache sites:

    Fedora/RHEL7/CentOS7:
      sudo cp etc/apache2/ironic /etc/httpd/conf.d/ironic.conf
    
    Debian/Ubuntu:
      sudo cp etc/apache2/ironic /etc/apache2/sites-available/ironic.conf
    
  3. Edit the recently copied <apache-configuration-dir>/ironic.conf:

    1. Modify the WSGIDaemonProcess, APACHE_RUN_USER and APACHE_RUN_GROUP directives to set the user and group values to an appropriate user on your server.
    2. Modify the WSGIScriptAlias directive to point to the ironic/api/app.wsgi script.
    3. Modify the Directory directive to set the path to the Ironic API code.
    4. Modify the ErrorLog and CustomLog to redirect the logs to the right directory (on Red Hat systems this is usually under /var/log/httpd).
  4. Enable the apache ironic in site and reload:

    Fedora/RHEL7/CentOS7:
      sudo systemctl reload httpd
    
    Debian/Ubuntu:
      sudo a2ensite ironic
      sudo service apache2 reload
    

Note

The file ironic/api/app.wsgi is installed with the rest of the Bare Metal service application code, and should not need to be modified.

Configuring ironic-conductor service

  1. Replace HOST_IP with IP of the conductor host, and replace DRIVERS with a comma-separated list of drivers you chose for the conductor service as follows:

    [DEFAULT]
    
    # IP address of this host. If unset, will determine the IP
    # programmatically. If unable to do so, will use "127.0.0.1".
    # (string value)
    my_ip=HOST_IP
    
    # Specify the list of drivers to load during service
    # initialization. Missing drivers, or drivers which fail to
    # initialize, will prevent the conductor service from
    # starting. The option default is a recommended set of
    # production-oriented drivers. A complete list of drivers
    # present on your system may be found by enumerating the
    # "ironic.drivers" entrypoint. An example may be found in the
    # developer documentation online. (list value)
    enabled_drivers=DRIVERS
    

    Note

    If a conductor host has multiple IPs, my_ip should be set to the IP which is on the same network as the bare metal nodes.

  2. Configure the ironic-api service URL. Replace IRONIC_API_IP with IP of ironic-api service as follows:

    [conductor]
    
    # URL of Ironic API service. If not set ironic can get the
    # current value from the keystone service catalog. (string
    # value)
    api_url=http://IRONIC_API_IP:6385
    
  3. Configure the location of the database. Ironic-conductor should use the same configuration as ironic-api. Replace IRONIC_DBPASSWORD with the password of your ironic user, and replace DB_IP with the IP address where the DB server is located:

    [database]
    
    # The SQLAlchemy connection string to use to connect to the
    # database. (string value)
    connection=mysql+pymysql://ironic:IRONIC_DBPASSWORD@DB_IP/ironic?charset=utf8
    
  4. Configure the ironic-conductor service to use the RabbitMQ message broker by setting the following option. Ironic-conductor should use the same configuration as ironic-api. Replace RPC_* with appropriate address details and credentials of RabbitMQ server:

    [DEFAULT]
    
    # A URL representing the messaging driver to use and its full
    # configuration. (string value)
    transport_url = rabbit://RPC_USER:RPC_PASSWORD@RPC_HOST:RPC_PORT/
    
  5. Configure the ironic-conductor service so that it can communicate with the Image service. Replace GLANCE_IP with the hostname or IP address of the Image service:

    [glance]
    
    # Default glance hostname or IP address. (string value)
    glance_host=GLANCE_IP
    

    Note

    Swift backend for the Image service should be installed and configured for agent_* drivers. Starting with Mitaka the Bare Metal service also supports Ceph Object Gateway (RADOS Gateway) as the Image service’s backend (radosgw support).

  6. Set the URL (replace NEUTRON_IP) for connecting to the Networking service, to be the Networking service endpoint:

    [neutron]
    
    # URL for connecting to neutron. (string value)
    url=http://NEUTRON_IP:9696
    

    To configure the network for ironic-conductor service to perform node cleaning, see CleaningNetworkSetup from the Ironic deploy guide.

  7. Configure credentials for accessing other OpenStack services.

    In order to communicate with other OpenStack services, the Bare Metal service needs to use service users to authenticate to the OpenStack Identity service when making requests to other services. These users’ credentials have to be configured in each configuration file section related to the corresponding service:

    • [neutron] - to access the OpenStack Networking service
    • [glance] - to access the OpenStack Image service
    • [swift] - to access the OpenStack Object Storage service
    • [inspector] - to access the OpenStack Bare Metal Introspection service
    • [service_catalog] - a special section holding credentials the Bare Metal service will use to discover its own API URL endpoint as registered in the OpenStack Identity service catalog.

    For simplicity, you can use the same service user for all services. For backward compatibility, this should be the same user configured in the [keystone_authtoken] section for the ironic-api service (see “Configuring ironic-api service”). However, this is not necessary, and you can create and configure separate service users for each service.

    Under the hood, Bare Metal service uses keystoneauth library together with Authentication plugin and Session concepts provided by it to instantiate service clients. Please refer to Keystoneauth documentation for supported plugins, their available options as well as Session-related options for authentication and connection respectively.

    In the example below, authentication information for user to access the OpenStack Networking service is configured to use:

    • HTTPS connection with specific CA SSL certificate when making requests
    • the same service user as configured for ironic-api service
    • dynamic password authentication plugin that will discover appropriate version of Identity service API based on other provided options
      • replace IDENTITY_IP with the IP of the Identity server, and replace IRONIC_PASSWORD with the password you chose for the ironic user in the Identity service
    [neutron]
    
    # Authentication type to load (string value)
    auth_type = password
    
    # Authentication URL (string value)
    auth_url=https://IDENTITY_IP:5000/
    
    # Username (string value)
    username=ironic
    
    # User's password (string value)
    password=IRONIC_PASSWORD
    
    # Project name to scope to (string value)
    project_name=service
    
    # Domain ID containing project (string value)
    project_domain_id=default
    
    # User's domain id (string value)
    user_domain_id=default
    
    # PEM encoded Certificate Authority to use when verifying
    # HTTPs connections. (string value)
    cafile=/opt/stack/data/ca-bundle.pem
    
  8. Make sure that qemu-img and iscsiadm (in the case of using iscsi-deploy driver) binaries are installed and prepare the host system as described at Setup the drivers for the Bare Metal service

  9. Restart the ironic-conductor service:

    Fedora/RHEL7/CentOS7:
      sudo systemctl restart openstack-ironic-conductor
    
    Ubuntu:
      sudo service ironic-conductor restart
    
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.