From 66d44fc5064e67974192c6bc526584419ee6d642 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Wed, 21 Feb 2024 15:07:24 +0100 Subject: [PATCH] User guide: updates for Inspector removal Depends on: - https://github.com/metal3-io/baremetal-operator/pull/1544 Signed-off-by: Dmitry Tantsur --- docs/user-guide/src/baremetal/guide.md | 10 ++-- .../src/bmo/install_baremetal_operator.md | 55 ++++++++++--------- .../src/bmo/ironic_bmo_configmap.env | 4 +- docs/user-guide/src/capm3/pivoting.md | 4 +- .../src/developer_environment/tryit.md | 2 +- .../src/ironic/ironic-python-agent.md | 6 +- .../src/ironic/ironic_installation.md | 8 +-- .../user-guide/src/ironic/ironic_variables.md | 1 - 8 files changed, 45 insertions(+), 45 deletions(-) diff --git a/docs/user-guide/src/baremetal/guide.md b/docs/user-guide/src/baremetal/guide.md index 4c95bf92..8cf87dbf 100644 --- a/docs/user-guide/src/baremetal/guide.md +++ b/docs/user-guide/src/baremetal/guide.md @@ -134,8 +134,8 @@ Install following requirements on the host. # The URL of the Ironic endpoint. export IRONIC_URL="http://172.22.0.1:6385/v1/" - # The URL of the Ironic inspector endpoint. - export IRONIC_INSPECTOR_URL="http://172.22.0.1:5050/v1/" + # The URL of the Ironic inspector endpoint - only before BMO 0.5.0. + #export IRONIC_INSPECTOR_URL="http://172.22.0.1:5050/v1/" # Do not use a dedicated CA certificate for Ironic API. # Any value provided in this variable disables additional CA certificate validation. @@ -147,13 +147,13 @@ Install following requirements on the host. # Any value provided in this variable disables authentication. # To enable authentication, leave this variable unset. # If unset, then IRONIC_USERNAME and IRONIC_PASSWORD must be set. - export IRONIC_NO_BASIC_AUTH=true + #export IRONIC_NO_BASIC_AUTH=true - # Disables basic authentication for Ironic inspector API. + # Disables basic authentication for Ironic inspector API (when used). # Any value provided in this variable disables authentication. # To enable authentication, leave this variable unset. # If unset, then IRONIC_INSPECTOR_USERNAME and IRONIC_INSPECTOR_PASSWORD must be set. - export IRONIC_INSPECTOR_NO_BASIC_AUTH=true + #export IRONIC_INSPECTOR_NO_BASIC_AUTH=true ``` - Launch baremetal operator. diff --git a/docs/user-guide/src/bmo/install_baremetal_operator.md b/docs/user-guide/src/bmo/install_baremetal_operator.md index ea159afe..3527ac8e 100644 --- a/docs/user-guide/src/bmo/install_baremetal_operator.md +++ b/docs/user-guide/src/bmo/install_baremetal_operator.md @@ -26,9 +26,6 @@ drivers that support ISO boot. Optional if kernel/ramdisk are set. `IRONIC_ENDPOINT` -- The URL for the operator to use when talking to Ironic. -`IRONIC_INSPECTOR_ENDPOINT` -- The URL for the operator to use when talking to -Ironic Inspector. - `IRONIC_CACERT_FILE` -- The path of the CA certificate file of Ironic, if needed `IRONIC_INSECURE` -- ("True", "False") Whether to skip the ironic certificate @@ -59,6 +56,11 @@ BMO_CONCURRENCY value lower than the requested PROVISIONING_LIMIT. Default is 20 nodes that use IPv6. In dual stack environments, this can be used to tell Ironic which IP version it should set on the BMC. +### Deprecated options + +`IRONIC_INSPECTOR_ENDPOINT` -- The URL for the operator to use when talking to +Ironic Inspector. Only supported before baremetal-operator 0.5.0. + ## Kustomization Configuration It is possible to deploy ```baremetal-operator``` with three different operator @@ -81,29 +83,28 @@ When an external Ironic is used, the following requirements must be met: ## Authenticating to Ironic -Because hosts under the control of Metal³ need to contact the Ironic and Ironic -Inspector APIs during inspection and provisioning, it is highly advisable to -require authentication on those APIs, since the provisioned hosts running user -workloads will remain connected to the provisioning network. +Because hosts under the control of Metal³ need to contact the Ironic API during +inspection and provisioning, it is highly advisable to require authentication +on those APIs, since the provisioned hosts running user workloads will remain +connected to the provisioning network. ### Configuration -The `baremetal-operator` supports connecting to Ironic and Ironic Inspector -configured with the following `auth_strategy` modes: +The `baremetal-operator` supports connecting to Ironic with the following +`auth_strategy` modes: -* `noauth` (no authentication) +* `noauth` (no authentication - not recommended) * `http_basic` (HTTP [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication)) -Note that Keystone authentication methods are not yet supported. +Note that Keystone (OpenStack Identity) authentication methods are not yet +supported. Authentication configuration is read from the filesystem, beginning at the root directory specified in the environment variable `METAL3_AUTH_ROOT_DIR`. If this variable is empty or not specified, the default is `/opt/metal3/auth`. -Within the root directory there are separate subdirectories, `ironic` for -Ironic client configuration, and `ironic-inspector` for Ironic Inspector client -configuration. (This allows the data to be populated from separate secrets when -deploying in Kubernetes.) +Within the root directory, there is a separate subdirectory `ironic` for +Ironic client configuration. #### `noauth` @@ -229,9 +230,6 @@ ironic-deployment/ │   │   ├── ironic-auth-config │   │   ├── ironic-auth-config-tpl │   │   ├── ironic-htpasswd -│   │   ├── ironic-inspector-auth-config -│   │   ├── ironic-inspector-auth-config-tpl -│   │   ├── ironic-inspector-htpasswd │   │   └── kustomization.yaml │   ├── keepalived │   │   ├── ironic_bmo_configmap.env @@ -266,8 +264,8 @@ For more information, check the readme in the `ironic-deployment` folder. There is a useful deployment script that configures and deploys BareMetal Operator and Ironic. It requires some variables : -* IRONIC_HOST : domain name for Ironic and inspector -* IRONIC_HOST_IP : IP on which Ironic and inspector are listening +* IRONIC_HOST : domain name for Ironic +* IRONIC_HOST_IP : IP on which Ironic is listening In addition you can configure the following variables. They are **optional**. If you leave them unset, then passwords and certificates will be generated @@ -276,23 +274,26 @@ for you. * KUBECTL_ARGS : Additional arguments to kubectl apply * IRONIC_USERNAME : username for ironic * IRONIC_PASSWORD : password for ironic -* IRONIC_INSPECTOR_USERNAME : username for inspector -* IRONIC_INSPECTOR_PASSWORD : password for inspector * IRONIC_CACERT_FILE : CA certificate path for ironic * IRONIC_CAKEY_FILE : CA certificate key path, unneeded if ironic * certificates exist * IRONIC_CERT_FILE : Ironic certificate path * IRONIC_KEY_FILE : Ironic certificate key path +* MARIADB_KEY_FILE: Path to the key of MariaDB +* MARIADB_CERT_FILE: Path to the cert of MariaDB +* MARIADB_CAKEY_FILE: Path to the CA key of MariaDB +* MARIADB_CACERT_FILE: Path to the CA certificate of MariaDB + +Before version 0.5.0, Ironic Inspector parameters were also used: + +* IRONIC_INSPECTOR_USERNAME : username for inspector +* IRONIC_INSPECTOR_PASSWORD : password for inspector * IRONIC_INSPECTOR_CERT_FILE : Inspector certificate path * IRONIC_INSPECTOR_KEY_FILE : Inspector certificate key path * IRONIC_INSPECTOR_CACERT_FILE : CA certificate path for inspector, defaults to -* IRONIC_CACERT_FILE + IRONIC_CACERT_FILE * IRONIC_INSPECTOR_CAKEY_FILE : CA certificate key path, unneeded if inspector certificates exist -* MARIADB_KEY_FILE: Path to the key of MariaDB -* MARIADB_CERT_FILE: Path to the cert of MariaDB -* MARIADB_CAKEY_FILE: Path to the CA key of MariaDB -* MARIADB_CACERT_FILE: Path to the CA certificate of MariaDB Then run : diff --git a/docs/user-guide/src/bmo/ironic_bmo_configmap.env b/docs/user-guide/src/bmo/ironic_bmo_configmap.env index 4bcbb19e..cb9f4b7c 100644 --- a/docs/user-guide/src/bmo/ironic_bmo_configmap.env +++ b/docs/user-guide/src/bmo/ironic_bmo_configmap.env @@ -4,8 +4,8 @@ DHCP_RANGE=172.22.0.10,172.22.0.100 DEPLOY_KERNEL_URL=http://172.22.0.2:6180/images/ironic-python-agent.kernel DEPLOY_RAMDISK_URL=http://172.22.0.2:6180/images/ironic-python-agent.initramfs IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/ -IRONIC_INSPECTOR_ENDPOINT=http://172.22.0.2:5050/v1/ +# IRONIC_INSPECTOR_ENDPOINT=http://172.22.0.2:5050/v1/ CACHEURL=http://172.22.0.1/images IRONIC_FAST_TRACK=true IRONIC_KERNEL_PARAMS=console=ttyS0 -IRONIC_INSPECTOR_VLAN_INTERFACES=all \ No newline at end of file +IRONIC_INSPECTOR_VLAN_INTERFACES=all diff --git a/docs/user-guide/src/capm3/pivoting.md b/docs/user-guide/src/capm3/pivoting.md index e6bd4c7b..db9b01b9 100644 --- a/docs/user-guide/src/capm3/pivoting.md +++ b/docs/user-guide/src/capm3/pivoting.md @@ -119,8 +119,8 @@ This can now be achieved with the following procedure: is up and running then the CAPI and provider components can be installed with `clusterctl` to the bootstrap cluster. -2. Install Ironic components namely: ironic, ironic-inspector, - ironic-endpoint-keepalived, httpd and dnsmasq. +2. Install Ironic components, namely: ironic, ironic-endpoint-keepalived, httpd + and dnsmasq. 3. Use clusterctl init to install the provider components diff --git a/docs/user-guide/src/developer_environment/tryit.md b/docs/user-guide/src/developer_environment/tryit.md index c95256b3..79e77a48 100644 --- a/docs/user-guide/src/developer_environment/tryit.md +++ b/docs/user-guide/src/developer_environment/tryit.md @@ -585,7 +585,7 @@ useful for troubleshooting to find out why a node did not deploy. | driver_internal_info | {u'last_power_state_change': u'2022-01-19T13:04:01.981882', u'agent_version': u'8.3.1.dev2', u'agent_last_heartbeat': u'2022-01-19T13:03:51.874842', u'clean_steps': None, u'agent_erase_devices_iterations': 1, u'agent_erase_devices_zeroize': True, u'agent_continue_if_secure_erase_failed': False, u'agent_continue_if_ata_erase_failed': False, u'agent_enable_nvme_secure_erase': True, u'disk_erasure_concurrency': 1, u'agent_erase_skip_read_only': False, u'hardware_manager_version': {u'generic_hardware_manager': u'1.1'}, u'agent_cached_clean_steps_refreshed': u'2022-01-19 13:03:47.558697', u'deploy_steps': None, u'agent_cached_deploy_steps_refreshed': u'2022-01-19 12:09:34.731244'} | | extra | {} | | fault | None | -| inspect_interface | inspector | +| inspect_interface | agent | | inspection_finished_at | None | | inspection_started_at | 2022-01-19T10:56:17+00:00 | | instance_info | {u'capabilities': {}, u'image_source': u'http://172.22.0.1/images/CENTOS_8_NODE_IMAGE_K8S_v1.22.3-raw.img', u'image_os_hash_algo': u'md5', u'image_os_hash_value': u'http://172.22.0.1/images/CENTOS_8_NODE_IMAGE_K8S_v1.22.3-raw.img.md5sum', u'image_checksum': u'http://172.22.0.1/images/CENTOS_8_NODE_IMAGE_K8S_v1.22.3-raw.img.md5sum', u'image_disk_format': u'raw'} | diff --git a/docs/user-guide/src/ironic/ironic-python-agent.md b/docs/user-guide/src/ironic/ironic-python-agent.md index 3bf14a83..5d359538 100644 --- a/docs/user-guide/src/ironic/ironic-python-agent.md +++ b/docs/user-guide/src/ironic/ironic-python-agent.md @@ -1,6 +1,6 @@ # Ironic Python Agent (IPA) -[IPA](https://docs.openstack.org/ironic-python-agent/latest/) is a service written in python that runs within a ramdisk. It provides remote access to `ironic` and `ironic-inspector` services to perform various operations on the managed server. It also sends information about the server to `Ironic`. +[IPA](https://docs.openstack.org/ironic-python-agent/latest/) is a service written in python that runs within a ramdisk. It provides remote access for `Ironic` to perform various operations on the managed server. It also sends information about the server to `Ironic`. By default, we pull IPA images from [Ironic upstream](https://tarballs.opendev.org/openstack/ironic-python-agent/dib) archive where an image is built on every commit to the *master* git branch. @@ -11,14 +11,14 @@ However, another remote registry or a local IPA archive can be specified. [ipa-d IPA interacts with other components. The information exchanged and the component to which it is sent to or received from are described below. The communication between IPA and these components can be encrypted in-transit with SSL/TLS. +- Inspection: data about hardware details, such as CPU, disk, RAM and network interfaces. - Heartbeat: periodic message informing Ironic that the node is still running. - Lookup: data sent to Ironic that helps it determine Ironic’s node UUID for the node. -- Introspection: data about hardware details, such as CPU, disk, RAM and network interfaces. The above data is sent/received as follows. +- Inspection result is sent to Ironic - Lookup/heartbeats data is sent to Ironic. -- Introspection result is sent to ironic-inspector. - User supplied boot image that will be written to the node’s disk is retrieved from HTTPD server ## References diff --git a/docs/user-guide/src/ironic/ironic_installation.md b/docs/user-guide/src/ironic/ironic_installation.md index 8f67386c..ce8c99a0 100644 --- a/docs/user-guide/src/ironic/ironic_installation.md +++ b/docs/user-guide/src/ironic/ironic_installation.md @@ -6,7 +6,6 @@ there are a couple of containers that must run in order to provision baremetal nodes: - ironic (the main provisioning service) -- ironic-inspector (the auxiliary inspection service) - ipa-downloader (init container to download and cache the deployment ramdisk image) - httpd (HTTP server that serves cached images and iPXE configuration) @@ -20,6 +19,8 @@ A few other containers are optional: - ironic-log-watch (to provide access to the deployment ramdisk logs) - mariadb (the provisioning service database; SQLite can be used as a lightweight alternative) +- ironic-inspector (the auxiliary inspection service - only used in older + versions of Metal3) ## Prerequisites @@ -30,7 +31,7 @@ A separate provisioning network is required when network boot is used. The following ports must be accessible by the hosts being provisioned: - TCP 6385 (Ironic API) -- TCP 5050 (Inspector API) +- TCP 5050 (Inspector API; when used) - TCP 80 (HTTP server; can be changed via the `HTTP_PORT` environment variable) - UDP 67/68/546/547 (DHCP and DHCPv6; when network boot is used) - UDP 69 (TFTP; when network boot is used) @@ -89,7 +90,6 @@ variables](#environmental-variables) on the current shell before calling [run_lo installation script. This will start below containers: - ironic -- ironic-inspector - ironic-endpoint-keepalived - ironic-log-watch - ipa-downloader @@ -101,7 +101,7 @@ If in-cluster ironic installation, we used different manifests for TLS and basic here we are exporting environment variables for enabling/disabling TLS & basic auth but use the same script. -TLS and Basic authentication disabled +TLS and Basic authentication disabled (not recommended) ```bash export IRONIC_FAST_TRACK="false" # Example of manipulating Ironic settings diff --git a/docs/user-guide/src/ironic/ironic_variables.md b/docs/user-guide/src/ironic/ironic_variables.md index 1a5ba941..83a26ca6 100644 --- a/docs/user-guide/src/ironic/ironic_variables.md +++ b/docs/user-guide/src/ironic/ironic_variables.md @@ -10,7 +10,6 @@ The following environmental variables can be passed to configure the Ironic serv - `DEPLOY_KERNEL_URL` - the URL of the kernel to deploy ironic-python-agent - `DEPLOY_RAMDISK_URL` - the URL of the ramdisk to deploy ironic-python-agent - `IRONIC_ENDPOINT` - the endpoint of the ironic -- `IRONIC_INSPECTOR_ENDPOINT` - the endpoint of the ironic inspector - `CACHEURL` - the URL of the cached images - `IRONIC_FAST_TRACK` - whether to enable fast_track provisioning or not (default true) - `IRONIC_KERNEL_PARAMS` - kernel parameters to pass to IPA (default console=ttyS0)