openstack/ironic
Code Issues Proposed changes
ironic/doc/source/install/standalone/configure.rst
Steve Baker 25a3dd076a Documentation for graphical consoles 
This change cleans up and elaborates on existing graphical console
documentation, and also adds an overview document describing how it all
works together.

Closes-Bug: 2086715
Change-Id: I16b7ffb993e1ca5148b5205f0a35a74db85337d5
2025-03-05 20:09:59 +00:00

148 lines
4.2 KiB
ReStructuredText
Raw Permalink Blame History

Configuration
=============
This guide covers manual configuration of the Bare Metal service in the
standalone mode. Alternatively, Bifrost_ can be used for automatic
configuration.
.. _Bifrost: https://docs.openstack.org/bifrost/latest/
Service settings
----------------
It is possible to use the Bare Metal service without other OpenStack services.
You should make the following changes to ``/etc/ironic/ironic.conf``:
#. Choose an authentication strategy which supports standalone, one option is
``noauth``:
.. code-block:: ini
[DEFAULT]
auth_strategy=noauth
Another option is ``http_basic`` where the credentials are stored in an
`Apache htpasswd format`_ file:
.. code-block:: ini
[DEFAULT]
auth_strategy=http_basic
http_basic_auth_user_file=/etc/ironic/htpasswd
Only the ``bcrypt`` format is supported, and the Apache ``htpasswd``
utility can be used to populate the file with entries, for example:
.. code-block:: shell
htpasswd -nbB myName myPassword >> /etc/ironic/htpasswd
#. If you want to disable the Networking service, you should have your network
pre-configured to serve DHCP and TFTP for machines that you're deploying.
To disable it, change the following lines:
.. code-block:: ini
[dhcp]
dhcp_provider=none
.. note::
If you disabled the Networking service and the driver that you use is
supported by at most one conductor, PXE boot will still work for your
nodes without any manual config editing. This is because you know all
the DHCP options that will be used for deployment and can set up your
DHCP server appropriately.
If you have multiple conductors per driver, it would be better to use
Networking since it will do all the dynamically changing configurations
for you.
#. If you want to disable using a messaging broker between conductor and API
processes, switch to JSON RPC instead:
.. code-block:: ini
[DEFAULT]
rpc_transport = json-rpc
JSON RPC also has its own authentication strategy. If it is not specified then
the strategy defaults to ``[DEFAULT]`` ``auth_strategy``. The following will
set JSON RPC to ``noauth``:
.. code-block:: ini
[json_rpc]
auth_strategy = noauth
For ``http_basic`` the conductor server needs a credentials file to validate
requests:
.. code-block:: ini
[json_rpc]
auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd-json-rpc
The API server also needs client-side credentials to be specified:
.. code-block:: ini
[json_rpc]
auth_type = http_basic
username = myName
password = myPassword
#. To make graphical consoles available for local viewing, set the following,
including an appropriate container image reference for console_image.
.. code-block:: ini
[vnc]
enabled=True
port=6090
host_ip=127.0.0.1
public_url=http://127.0.0.1:6090/vnc_lite.html
container_provider=systemd
console_image=<image reference>
#. Starting with the Yoga release series, you can use a combined
API+conductor+novncproxy service and completely disable the RPC. Set
.. code-block:: ini
[DEFAULT]
rpc_transport = none
and use the ``ironic`` executable to start the combined service.
.. note::
The combined service also works with RPC enabled, which can be useful for
some deployments, but may not be advisable for all security models.
Using CLI
---------
To use the
:python-ironicclient-doc:`baremetal CLI <cli/osc_plugin_cli.html>`,
set up these environment variables. If the ``noauth`` authentication strategy is
being used, the value ``none`` must be set for OS_AUTH_TYPE. OS_ENDPOINT is
the URL of the ironic-api process.
For example:
.. code-block:: shell
export OS_AUTH_TYPE=none
export OS_ENDPOINT=http://localhost:6385/
If the ``http_basic`` authentication strategy is being used, the value
``http_basic`` must be set for OS_AUTH_TYPE. For example:
.. code-block:: shell
export OS_AUTH_TYPE=http_basic
export OS_ENDPOINT=http://localhost:6385/
export OS_USERNAME=myUser
export OS_PASSWORD=myPassword
.. _`Apache htpasswd format`: https://httpd.apache.org/docs/current/misc/password_encryptions.html
View Git Blame Copy Permalink