OpenStack Ironic
OpenStack bare metal provisioning (a.k.a Ironic) is an integrated OpenStack program which aims to provision bare metal machines instead of virtual machines, forked from the Nova baremetal driver. It is best thought of as a bare metal hypervisor API and a set of plugins which interact with the bare metal hypervisors. By default, it will use PXE and IPMI in order to provision and turn on/off machines, but Ironic also supports vendor-specific plugins which may implement additional functionality. For a general overview please see: Introduction to Ironic.
Install
Basic install
- Before setting up Ironic, perform the following:
- Install Openstack with Neutron
- Create and delete a VM to test the setup
Once you have confirmed the above, configure existing setup for Ironic with the following steps.
- Configure Ironic user in Keystone:
$ keystone user-create --name=ironic --pass=IRONIC_PASSWORD --email=ironic@example.com $ keystone user-role-add --user=ironic --tenant=service --role=admin
- Register Ironic with Keystone:
$ keystone service-create --name=ironic --type=baremetal --description="Ironic bare metal provisioning service"
- Create Keystone endpoint:
$ keystone endpoint-create \ --service-id=the_service_id_above \ --publicurl=http://IRONIC_NODE:6385 \ --internalurl=http://IRONIC_NODE:6385 \ --adminurl=http://IRONIC_NODE:6385
- Setup database:
$ mysql -u root -p mysql> CREATE DATABASE ironic CHARACTER SET utf8; mysql> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'localhost' \ IDENTIFIED BY 'IRONIC_DBPASSWORD'; mysql> GRANT ALL PRIVILEGES ON ironic.* TO 'ironic'@'%' \ IDENTIFIED BY 'IRONIC_DBPASSWORD';
- Ironic is configured via its configuration file. This file is typically located at
/etc/ironic/ironic.conf
:
[DEFAULT] enabled_drivers = pxe_ipmitool debug=True auth_strategy=keystone log_dir=/var/log/ironic/ rabbit_host=<rabbitmq_server> [api] port=6385 [conductor] [database] connection = mysql://ironic:ironic@<database_server>/ironic?charset=utf8 [glance] glance_host=<glance_server> glance_port=9292 glance_protocol=http glance_num_retries=2 auth_strategy=keystone [ipmi] [keystone_authtoken] signing_dir = /var/cache/ironic/api admin_password = ironic admin_user = ironic admin_tenant_name = service auth_uri = http://<keystone_server>:5000/v2.0 identity_uri = http://<keystone_server>:35357 auth_protocol = http auth_port = 35357 auth_host = <keystone_server> admin_token = token123 [matchmaker_redis] [matchmaker_ring] [neutron] url=http://<neutron_server>:9696 [pxe] [rpc_notifier2] [seamicro] [ssh] [ssl]
- Create the Ironic (aka "Bare Metal Service") database tables:
$ ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
- Restart the Ironic services:
$ service ironic-api restart $ service ironic-conductor restart
- Configure the compute (nova) service (
/etc/nova/nova.conf
):
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler compute_driver=ironic.nova.virt.ironic.IronicDriver scheduler_host_manager=ironic.nova.scheduler.ironic_host_manager.IronicHostManager ram_allocation_ratio=1.0 reserved_host_memory_mb=0 [ironic] # Ironic keystone admin name admin_username=ironic #Ironic keystone admin password. admin_password=ironic # keystone API endpoint admin_url=http://<keystone_server>:35357/v2.0 # Ironic keystone tenant name. admin_tenant_name=service # URL for Ironic API endpoint. api_endpoint=http://<ironic_api_server>:6385/v1
- Restart the Nova services:
$ service nova-scheduler restart $ service nova-compute restart
- Configure networking with Neutron
- Edit
/etc/neutron/plugins/ml2/ml2_conf.ini
and modify the following:
[ml2] type_drivers = flat tenant_network_types = flat mechanism_drivers = openvswitch [ml2_type_flat] flat_networks = physnet1 [securitygroup] firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver enable_security_group = True [ovs] network_vlan_ranges = physnet1 bridge_mappings = physnet1:br-em2 # Replace eth2 with the interface on the neutron node which you # are using to connect to the bare metal server
- Add the integration bridge to Open vSwitch:
$ ovs-vsctl add-br br-int
- Create the br-eth2 network bridge to handle communication between the OpenStack (and Bare Metal services) and the bare metal nodes using eth2. Replace eth2 with the interface on the neutron node which you are using to connect to the bare-metal service:
$ ovs-vsctl add-br br-em2 $ ovs-vsctl add-port br-em2 em2
- Restart the Open vSwitch agent:
$ service neutron-plugin-openvswitch-agent restart
Show the changes with:
$ ovs-vsctl show
Bridge br-ex Port "em1" Interface "em1" Port br-ex Interface br-ex type: internal Bridge br-int Port "int-br-em2" Interface "int-br-em2" Port br-int Interface br-int type: internal Bridge "br-em2" Port "br-em2" Interface "br-em2" type: internal Port "phy-br-em2" Interface "phy-br-em2" Port "em2" Interface "em2" ovs_version: "2.0.1"
- Create the flat network on which you are going to launch the instances:
$ neutron net-create --tenant-id ${TENANT_ID} sharednet1 --shared \ --provider:network_type flat --provider:physical_network physnet1
- Create subnet:
$ neutron subnet-create sharednet1 --gateway <GateWay> <Network_CIDR> --name subnet1
Bare-metal provisioning requires two sets of images: the deploy images and the user images. The disk-image-builder
can be used to create images required for deployment and the actual OS which the user is going to run.
- Clone the project and run the subsequent commands from the project directory:
$ git clone https://github.com/openstack/diskimage-builder.git $ cd diskimage-builder
- Build the image your users will run (an Ubuntu image is used in this example):
$ bin/disk-image-create -u ubuntu -o my-image
The above command creates the my-image.qcow2
file. If you want to use Fedora image, replace ubuntu
with fedora
in the above command.
- Extract the kernel and ramdisk:
$ bin/disk-image-get-kernel -d ./ -o my -i $(pwd)/my-image.qcow2
The above command creates my-vmlinuz
and my-initrd
files. These images are used while deploying the actual OS the users will run (my-image
in this case).
- Build the deploy image:
$ bin/ramdisk-image-create ubuntu deploy-ironic -o my-deploy-ramdisk
The above command creates my-deploy-ramdisk.kernel
and my-deploy-ramdisk.initramfs
files which are used initially for preparing the server (creating disk partitions) before the actual OS deploy. If you want to use a Fedora image, replace ubuntu
with fedora
in the above command.
Add the user images to Glance. Load all the images created in the below steps into Glance, and note the Glance image UUIDs for each one as it is generated.
- Add the kernel and ramdisk images to Glance:
$ glance image-create --name my-kernel --public --disk-format aki < my-vmlinuz
Store the image uuid obtained from the above step as $MY_VMLINUZ_UUID
.
$ glance image-create --name my-ramdisk --public --disk-format ari < my-initrd
Store the image UUID obtained from the above step as $MY_INITRD_UUID
.
- Add the my-image to glance which is going to be the OS that the user is going to run. Also associate the above created images with this OS image. These two operations can be done by executing the following command:
$ glance image-create --name my-image --public \ --disk-format qcow2 --container-format bare \ --property kernel_id=${MY_VMLINUZ_UUID} \ --property ramdisk_id=${MY_INITRD_UUID} < my-image
- Add the deploy images to glance. Add the my-deploy-ramdisk.kernel and my-deploy-ramdisk.initramfs images to glance:
$ glance image-create --name deploy-vmlinuz --public --disk-format aki < my-deploy-ramdisk.kernel
Store the image UUID obtained from the above step as $DEPLOY_VMLINUZ_UUID
.
$ glance image-create --name deploy-initrd --public --disk-format ari < my-deploy-ramdisk.initramfs
Store the image UUID obtained from the above step as $DEPLOY_INITRD_UUID
.
You will need to create a special Bare Metal flavor in Nova. The flavor is mapped to the bare metal server through the hardware specifications.
- Change the following to match your hardware:
RAM_MB=1024 CPU=2 DISK_GB=100 ARCH={i686|x86_64}
- Create the bare-metal flavor by executing the following command:
$ nova flavor-create my-baremetal-flavor auto ${RAM_MB} ${DISK_GB} ${CPU} $ nova flavor-key my-baremetal-flavor set cpu_arch=$ARCH \ "baremetal:deploy_kernel_id"=${DEPLOY_VMLINUZ_UUID} \ "baremetal:deploy_ramdisk_id"=${DEPLOY_INITRD_UUID}
- Create a node in Ironic:
$ ironic node-create -d pxe_ipmitool \ -i ipmi_address=<ipmi_address> \ -i ipmi_username=<ipmi_username> \ -i ipmi_password=<ipmi_password> $ ironic node-update $NODE_UUID add \ driver_info/pxe_deploy_kernel=$DEPLOY_VMLINUZ_UUID \ driver_info/pxe_deploy_ramdisk=$DEPLOY_INITRD_UUID
- Create a port for the server:
$ NODE_ID=<replace_with_UUID_from_above> $ MAC_ADDRESS=00:00:00:00:00:00 # The MAC address of the node Ironic will provision $ ironic port-create -n ${NODE_ID} -a ${MAC_ADDRESS}
- If you will be using PXE, it needs to be set up on the Bare Metal Service node(s) where ironic-conductor is running.
Make sure the tftp root directory exist and can be written to by the user the ironic-conductor is running as. For example:
$ sudo mkdir -p /tftpboot $ sudo chown -R ironic -p /tftpboot
- Install tftp server and the syslinux package with the PXE boot images:
# Ubuntu: $ sudo apt-get install tftpd-hpa syslinux syslinux-common # Fedora/RHEL: $ sudo yum install tftp-server syslinux-tftpboot
- Setup tftp server to serve /tftpboot. Copy the PXE image to /tftpboot. The PXE image might be found at [1]:
# Ubuntu: $ sudo cp /usr/lib/syslinux/pxelinux.0 /tftpboot
- Go to /etc/defaults/tftp-hpa remove everything and paste following:
TFTP_USERNAME="tftp" TFTP_DIRECTORY="/tftpboot" TFTP_ADDRESS="[::]:69" #TFTP_OPTIONS="--secure" TFTP_OPTIONS="--map-file /tftpboot/map-file -v -v -v -v"
To be able to access absolute path on tftp do following steps.
- Create a map file in /tftpboot/map-file:
r ^([^/]) /tftpboot/\1
- The tftp service should be running like below:
/usr/sbin/in.tftpd --listen --user tftp --address [::]:69 --map-file /tftpboot/map-file -v -v -v -v /tftpboot
- IPMI support
If using the IPMITool driver, the ipmitool command must be present on the service node(s) where ironic-conductor is running. On most distros, this is provided as part of the ipmitool package. Source code is available at http://ipmitool.sourceforge.net/
Note that certain distros, notably Mac OS X and SLES, install openipmi instead of ipmitool by default. THIS DRIVER IS NOT COMPATIBLE WITH openipmi AS IT RELIES ON ERROR HANDLING OPTIONS NOT PROVIDED BY THIS TOOL.
Check that you can connect to and authenticate with the IPMI controller in your bare metal server by using ipmitool:
$ ipmitool -I lanplus -H <ip-address> -U <username> -P <password> chassis power status
- Test setup with nova:
$ nova boot --flavor baremetal --key-name mykey --image my-image --nic net-id=${NET_ID} my-vm-name1
- Debug commands
Sometimes the VM goes in error state and does not got deleted, for that run following command in ironic:
$ ironic node-update ${NODE_ID} remove instance_uuid
Always check that the node is not in maintenance mode. If it is in maintenance mode then remove it with:
$ ironic node-update ${NODE_ID} replace maintenance=False