254 lines
11 KiB
Django/Jinja
254 lines
11 KiB
Django/Jinja
[DEFAULT]
|
|
{% if env.AUTH_STRATEGY is defined %}
|
|
auth_strategy = {{ env.AUTH_STRATEGY }}
|
|
{% if env.AUTH_STRATEGY == "http_basic" %}
|
|
http_basic_auth_user_file=/etc/ironic/htpasswd
|
|
{% endif %}
|
|
{% else %}
|
|
auth_strategy = noauth
|
|
{% endif %}
|
|
debug = true
|
|
default_deploy_interface = direct
|
|
default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
|
|
default_network_interface = noop
|
|
enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
|
|
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
|
|
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
|
|
# NOTE(dtantsur): when changing this, make sure to update the driver
|
|
# dependencies in Dockerfile.
|
|
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
|
|
enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
|
|
enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
|
|
enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
|
|
enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
|
|
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
|
|
enabled_firmware_interfaces = no-firmware,fake,redfish
|
|
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
|
|
rpc_transport = json-rpc
|
|
{% else %}
|
|
rpc_transport = none
|
|
{% endif %}
|
|
use_stderr = true
|
|
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
|
|
hash_ring_algorithm = sha256
|
|
my_ip = {{ env.IRONIC_IP }}
|
|
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
|
|
# if access is unauthenticated, we bind only to localhost - use that as the
|
|
# host name also, so that the client can find the server
|
|
# If we run both API and conductor in the same pod, use localhost
|
|
host = localhost
|
|
{% else %}
|
|
host = {{ env.IRONIC_CONDUCTOR_HOST }}
|
|
{% endif %}
|
|
|
|
# If a path to a certificate is defined, use that first for webserver
|
|
{% if env.WEBSERVER_CACERT_FILE %}
|
|
webserver_verify_ca = {{ env.WEBSERVER_CACERT_FILE }}
|
|
{% elif env.IRONIC_INSECURE == "true" %}
|
|
webserver_verify_ca = false
|
|
{% endif %}
|
|
|
|
isolinux_bin = /usr/share/syslinux/isolinux.bin
|
|
|
|
# NOTE(dtantsur): this path is specific to the GRUB image that is built into
|
|
# the ESP provided in [conductor]bootloader.
|
|
grub_config_path = EFI/BOOT/grub.cfg
|
|
|
|
[agent]
|
|
deploy_logs_collect = always
|
|
deploy_logs_local_path = /shared/log/ironic/deploy
|
|
# NOTE(dtantsur): in some environments temporary networking issues can cause
|
|
# the whole deployment to fail on inability to reach the ramdisk. Increasing
|
|
# retries here works around such problems without affecting the normal path.
|
|
# See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
|
|
max_command_attempts = 30
|
|
|
|
[api]
|
|
{% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
|
|
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
|
|
unix_socket = /shared/ironic.sock
|
|
# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
|
|
# another container, we need to make it world-writeable.
|
|
unix_socket_mode = 0666
|
|
{% else %}
|
|
host_ip = 127.0.0.1
|
|
port = {{ env.IRONIC_PRIVATE_PORT }}
|
|
{% endif %}
|
|
public_endpoint = {{ env.IRONIC_BASE_URL }}
|
|
{% else %}
|
|
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
|
|
port = {{ env.IRONIC_LISTEN_PORT }}
|
|
{% if env.IRONIC_TLS_SETUP == "true" %}
|
|
enable_ssl_api = true
|
|
{% endif %}
|
|
{% endif %}
|
|
api_workers = {{ env.NUMWORKERS }}
|
|
|
|
# Disable schema validation so we can pass nmstate format
|
|
network_data_schema = /etc/ironic/network-data-schema-empty.json
|
|
|
|
[conductor]
|
|
automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}
|
|
# NOTE(dtantsur): keep aligned with [pxe]boot_retry_timeout below.
|
|
deploy_callback_timeout = 4800
|
|
send_sensor_data = {{ env.SEND_SENSOR_DATA }}
|
|
# NOTE(TheJulia): Do not lower this value below 120 seconds.
|
|
# Power state is checked every 60 seconds and BMC activity should
|
|
# be avoided more often than once every sixty seconds.
|
|
send_sensor_data_interval = 160
|
|
bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img
|
|
verify_step_priority_override = management.clear_job_queue:90
|
|
# We don't use this feature, and it creates an additional load on the database
|
|
node_history = False
|
|
# Provide for a timeout longer than 60 seconds for certain vendor's hardware
|
|
power_state_change_timeout = 120
|
|
{% if env.IRONIC_DEFAULT_KERNEL is defined %}
|
|
deploy_kernel = file://{{ env.IRONIC_DEFAULT_KERNEL }}
|
|
{% endif %}
|
|
{% if env.IRONIC_DEFAULT_RAMDISK is defined %}
|
|
deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
|
|
{% endif %}
|
|
|
|
[database]
|
|
{% if env.IRONIC_USE_MARIADB | lower == "false" %}
|
|
connection = sqlite:////var/lib/ironic/ironic.sqlite
|
|
# Synchronous mode is required for data integrity in case of operating system
|
|
# crash. In our case we restart the container from scratch, so we can save some
|
|
# IO by not doing syncs all the time.
|
|
sqlite_synchronous = False
|
|
{% else %}
|
|
connection = {{ env.MARIADB_CONNECTION }}
|
|
{% endif %}
|
|
|
|
[deploy]
|
|
default_boot_option = local
|
|
erase_devices_metadata_priority = 10
|
|
erase_devices_priority = 0
|
|
http_root = /shared/html/
|
|
http_url = {{ env.IRONIC_BOOT_BASE_URL }}
|
|
fast_track = {{ env.IRONIC_FAST_TRACK }}
|
|
{% if env.IRONIC_BOOT_ISO_SOURCE %}
|
|
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
|
|
{% endif %}
|
|
{% if env.IRONIC_EXTERNAL_HTTP_URL %}
|
|
external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
|
|
{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %}
|
|
external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }}
|
|
{% endif %}
|
|
{% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
|
|
external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
|
|
{% endif %}
|
|
|
|
[dhcp]
|
|
dhcp_provider = none
|
|
|
|
[inspector]
|
|
power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
|
|
# NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
|
|
# Also keep in mind that only parameters unique for inspection go here.
|
|
# No need to duplicate pxe_append_params/kernel_append_params.
|
|
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
|
|
|
|
{% if env.USE_IRONIC_INSPECTOR == "true" %}
|
|
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
|
|
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
|
|
cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
|
|
insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
|
|
{% endif %}
|
|
{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
|
|
callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
|
|
{% endif %}
|
|
{% else %}
|
|
hooks = $default_hooks,parse-lldp
|
|
add_ports = all
|
|
keep_ports = present
|
|
{% endif %}
|
|
|
|
[ipmi]
|
|
# use_ipmitool_retries transfers the responsibility of retrying to ipmitool
|
|
# when supported. If set to false, then ipmitool is called as follows :
|
|
# $ipmitool -R 1 -N 1 ...
|
|
# and Ironic handles the retry loop.
|
|
use_ipmitool_retries = false
|
|
# The following parameters are the defaults in Ironic. They are used in the
|
|
# following way if use_ipmitool_retries is set to true:
|
|
# $ipmitool -R <X> -N <Y> ...
|
|
# where :
|
|
# X = command_retry_timeout / min_command_interval
|
|
# Y = min_command_interval
|
|
# If use_ipmitool_retries is false, then ironic retries X times, with an
|
|
# interval of Y in between each tries.
|
|
min_command_interval = 5
|
|
command_retry_timeout = 60
|
|
# List of possible cipher suites versions that can be
|
|
# supported by the hardware in case the field `cipher_suite`
|
|
# is not set for the node. (list value)
|
|
cipher_suite_versions = 3,17
|
|
|
|
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
|
|
[json_rpc]
|
|
# We assume that when we run API and conductor in the same container, they use
|
|
# authentication over localhost, using the same credentials as API, to prevent
|
|
# unauthenticated connections from other processes in the same host since the
|
|
# containers are in host networking.
|
|
auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
|
|
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
|
|
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
|
|
# if access is unauthenticated, we bind only to localhost - use that as the
|
|
# host name also, so that the client can find the server
|
|
host_ip = localhost
|
|
{% else %}
|
|
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
|
|
{% endif %}
|
|
{% if env.IRONIC_TLS_SETUP == "true" %}
|
|
use_ssl = true
|
|
cafile = {{ env.IRONIC_CACERT_FILE }}
|
|
insecure = {{ env.IRONIC_INSECURE }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
[nova]
|
|
send_power_notifications = false
|
|
|
|
[oslo_messaging_notifications]
|
|
driver = prometheus_exporter
|
|
location = /shared/ironic_prometheus_exporter
|
|
transport_url = fake://
|
|
|
|
[pxe]
|
|
# NOTE(dtantsur): keep this value at least 3x lower than
|
|
# [conductor]deploy_callback_timeout so that at least some retries happen.
|
|
# The default settings enable 3 retries after 20 minutes each.
|
|
boot_retry_timeout = 1200
|
|
images_path = /shared/html/tmp
|
|
instance_master_path = /shared/html/master_images
|
|
tftp_master_path = /shared/tftpboot/master_images
|
|
tftp_root = /shared/tftpboot
|
|
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
|
|
# This makes networking boot templates generated even for nodes using local
|
|
# boot (the default), ensuring that they boot correctly even if they start
|
|
# netbooting for some reason (e.g. with the noop management interface).
|
|
enable_netboot_fallback = true
|
|
# Enable the fallback path to in-band inspection
|
|
ipxe_fallback_script = inspector.ipxe
|
|
|
|
[redfish]
|
|
use_swift = false
|
|
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
|
|
|
|
[ilo]
|
|
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
|
|
use_web_server_for_images = true
|
|
|
|
[irmc]
|
|
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
|
|
|
|
[service_catalog]
|
|
endpoint_override = {{ env.IRONIC_BASE_URL }}
|
|
|
|
{% if env.IRONIC_TLS_SETUP == "true" %}
|
|
[ssl]
|
|
cert_file = {{ env.IRONIC_CERT_FILE }}
|
|
key_file = {{ env.IRONIC_KEY_FILE }}
|
|
{% endif %}
|