Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Installing ironic-inspector

During the registration of the bare metal instance management node, you need to add the bare metal physical server hardware information to the node. ironic-inspector is used to automatically collect the bare metal physical server hardware information, including but not limited to the number of CPU cores, memory capacity, hard drive capacity, and architecture. This section describes how to install ironic-inspector.

ironic-inspector contains two services. One is ironic-inspector, which works with ipa to complete the inspect process. The other is the ironic-inspector-dnsmasq service, which is used to implement the DHCP and TFTP functions in the inspect phase.

ironic-inspector and ironic-conductor can be deployed on the same node or different nodes. This section describes how to install the ironic-inspector component on the node where ironic-conductor is located. Therefore, the following operations are performed on the BMS management node baremetal.

Configuring the ironic-inspector Network

The ironic-inspector component provides the DHCP and TFTP functions for bare metal instances. Therefore, physical network links must be established between the node where the ironic-inspector component is located and the bare metal server nodes. It is recommended that the ironic-inspector component use an independent network port to prevent interference with other services. If there is no independent network port, configure the network by referring to scenario 2.

Scenario 1: The ironic-inspector Component Uses an Independent Network Port

  1. Create a bridge.
    1
    		 
    ovs-vsctl add-br br-inspector
  2. Connect an external network port. 
    1
    		 
    ovs-vsctl add-port br-inspector eth

    Replace eth with the actual network port.

  3. Configure the br-inspector IP address.
    1
2
3
    		 
    ifcongfig br-inspector up
ifconfig eth 0
ifcongfig br-inspector 172.24.66.254/24
    • Replace eth with the actual network port.
    • Ensure that the configured IP address does not conflict with the IP addresses of other network devices.

Scenario 2: The ironic-inspector Component and Other Components Use the Same Network Port

  1. Check the network topology of the current environment.
    1
    		 
    ovs-vsctl show

    The network topology of the Ironic management node is as follows:

    The bridge br-ex uses a port that has external connections.

    The network configuration varies according to the environment. You only need to find the bridge that has external ports.

  2. Create network devices

    Run the ip link command to create ex-inspector and br-inspector devices.

    1
    		 
    sudo ip link add ex-inspector type veth peer name br-inspector

    br-inspector is the interface used by the ironic-inspector service, and ex-inspector is used to connect br-ex and br-inspector.

  3. Enable network devices.
    1
2
3
4
    		 
    sudo ip link set dev ex-inspector up
sudo ip link set dev ex-inspector mtu 1400
sudo ip link set dev br-inspector up
sudo ip link set dev br-inspector mtu 1400
  4. Configure the br-inspector IP address.
    1
    		 
    sudo ip addr add 172.24.66.254/24 dev br-inspector

    Ensure that the configured IP address does not conflict with the IP addresses of other network devices.

  5. Add ex-inspector to bridge br-ex.
    1
    		 
    sudo ovs-vsctl add-port br-ex ex-inspector
  6. Configure iptables.
    1
2
    		 
    sudo iptables -I INPUT -i br-inspector -p udp --dport 69 -j ACCEPT
sudo iptables -I INPUT -i br-inspector -p tcp --dport 5050 -j ACCEPT

Installing ironic-inspector

The ironic-inspector service can be installed on any node. It can be installed on the same node of the ironic-conductor service, or on another node. In this document, the ironic-inspector service is installed on the BMS management node.

In this section, steps 1 to 3 are performed on the controller node, and other steps are performed on the ironic-inspector service node.

  1. Create an ironic-inspector database on the controller node.

    Create an ironic-inspector database. Like other OpenStack services, this service uses the MySQL database.

    1
2
3
4
5
    		 
    mysql -u root -p
CREATE DATABASE ironic_inspector CHARACTER SET utf8;
GRANT ALL PRIVILEGES ON ironic_inspector.* TO 'ironic_inspector'@'localhost' IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON ironic_inspector.* TO 'ironic_inspector'@'%' IDENTIFIED BY '<PASSWORD>';
exit

    In this document, all passwords are represented as PASSWORD. Use the actual password during the operation. Replace the PASSWORD with the password of the ironic_inspector database.

  2. Create the ironic-inspector authentication information and endpoint on the controller node, and enter the password of the ironic-inspector user.
    1
    		 
    openstack user create  --password-prompt ironic-inspector

    The password for the ironic-inspector user must be the same as the password for accessing the ironic-inspector database.

    1
2
3
4
5
    		 
    openstack role add --user ironic-inspector --project service admin
openstack service create --name ironic-inspector --description 'Bare Metal Introspection Service' --enable baremetal-introspection
openstack endpoint create  --region RegionOne --enable ironic-inspector admin http://{IRONIC_INSPECTOR_NODE}:5050
openstack endpoint create  --region RegionOne --enable ironic-inspector internal http://{IRONIC_INSPECTOR_NODE}:5050
openstack endpoint create  --region RegionOne --enable ironic-inspector public http://{IRONIC_INSPECTOR_NODE}:5050

    IRONIC_INSPECTOR_NODE indicates the hostname or IP address of the node where ironic-inspector is installed. If ironic-inspector is installed on the node where ironic-api is located, the hostname is baremetal.

  3. Install ironic-inspector-client on the controller node.
    1
    		 
    sudo yum install python-ironic-inspector-client
  4. Install ironic-inspector on the inspector service node.
    1
    		 
    sudo yum install openstack-ironic-inspector python-ironic-inspector-client
  5. Configure the ironic-conductor service.
    1. Open the /etc/ironic-inspector/inspector.conf file.
      vi /etc/ironic-inspector/inspector.conf
    2. Press i to enter the insert mode and add the following content to the file: 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
      		 
      [DEFAULT]
rootwrap_config = /etc/ironic-inspector/rootwrap.conf
transport_url = rabbit://openstack:PASSWORD@controller:5672
auth_strategy = keystone
listen_address = 0.0.0.0
listen_port = 5050
 
[database]
connection = mysql+pymysql://ironic_inspector:PASSWORD@controller/ironic_inspector?charset=utf8
 
[iptables]
dnsmasq_interface = BR-inspect
 
[ironic]
auth_type=password
auth_url=http://controller:5000/v3/
project_name=service
username=ironic-inspector
password=PASSWORD
project_domain_name=default
user_domain_name=default
 
[keystone_authtoken]
auth_type=password
www_authenticate_uri=http://controller:5000
auth_url=http://controller:5000/v3/
memcached_servers = controller:11211
username=ironic-inspector
password=PASSWORD
project_name=service
project_domain_name=default
user_domain_name=default
 
[processing]
add_ports = pxe
keep_ports = present
always_store_ramdisk_logs = True
ramdisk_logs_dir = /var/log/ironic-inspector/ramdisk-logs
      Table 1 Parameters

      Parameter

      Description

      add_ports = pxe

      Discovers NICs. all indicates that all NICs are added. pxe indicates that only the NIC started by PXE is added.

      keep_ports = present

      Specifies NICs to be kept. all indicates that all the added NICs are kept. present indicates that only the NIC in use is kept.
      • Replace PASSWORD with the password of the corresponding component.
      • Replace BR-inspect with the bridge used by inspector-dnsmasq to send DHCP and TFTP packets. In this section, BR-inspect is br-inspector.
    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
  6. Create the TFTP root directory of the inspector service.

    If the ironic-inspector service is not installed on the Ironic service node, install and configure the TFTP server by referring to Modifying the ironic Configuration File.

    1
    		 
    sudo mkdir -p /tftpboot/inspector
  7. Copy related files.
    1. Go to the /tftpboot/inspector directory. 
      1
      		 
      cd /tftpboot/inspector
    2. Copy related files to /tftpboot/inspector. 
      1
2
      		 
      cp /tftpboot/*.efi /tftpboot/inspector
cp /tftpboot/pxelinux.0 /tftpboot/inspector
    3. Upload the deployment image kernel and temporary file system of the x86 and AArch64 architectures obtained in step 2 to 7 to /tftpboot/inspector and rename the files ipa-{arch}.initramfs and ipa-{arch}.kernel.

      {arch} indicates the architecture, which can be x86 or aarch64.

  8. Create a boot configuration file.

    Perform the following operations in the /tftpboot/inspector directory:

    1. Create the boot configuration file grub.cfg. The file content is as follows: 
      1
2
3
4
5
6
7
      		 
      set default=master
set timeout=5
set hidden_timeout_quiet=false
 
menuentry "master"  {
    configfile /grub-${grub_cpu}.cfg
}
    2. Create the x86 boot configuration file grub-i386.cfg. The file content is as follows: 
      1
2
3
4
5
6
7
8
9
      		 
      set default='Introspection for x86'
set timeout=5
set hidden_timeout_quiet=false
 
 
menuentry 'Introspection for x86' {
    linuxefi ipa-x86.kernel text showopts selinux=0 ipa-inspection-callback-url=http://{IRONIC_INSPECTOR_NODE}:5050/v1/continue ipa-inspection-collectors=default ipa-collect-lldp=1 systemd.journald.forward_to_console=yes ipa-debug=1 ipa-api-url=http://{IRONIC_NODE}:6385
    initrdefi ipa-x86.initramfs
}
    3. Create a soft link to the x86 boot configuration file grub-x86_64.cfg. 
      1
      		 
      ln -s grub-i386.cfg grub-x86_64.cfg
    4. Create the AArch64 boot configuration file grub-arm64.cfg. The file content is as follows: 
      1
2
3
4
5
6
7
8
9
      		 
      set default='Introspection for aarch64'
set timeout=5
set hidden_timeout_quiet=false
 
 
menuentry 'Introspection for aarch64' {
    linux ipa-aarch64.kernel text showopts selinux=0 ipa-inspection-callback-url=http://{IRONIC_INSPECTOR_NODE}:5050/v1/continue ipa-inspection-collectors=default ipa-collect-lldp=1 systemd.journald.forward_to_console=yes ipa-debug=1 ipa-api-url=http://{IRONIC_NODE}:6385
    initrd ipa-aarch64.initramfs
}
    5. Create the x86 Legacy boot configuration file.
    6. Create the sudo mkdir -p /tftpboot/inspector/pxelinux.cfg directory.
    7. Create the default file in the pxelinux.cfg directory. The file content is as follows: 
      1
2
3
4
5
6
7
      		 
      default introspect
 
label introspect
kernel ipa-x86.kernel
append initrd=ipa-x86.initramfs ipa-inspection-callback-url=http://{IRONIC_INSPECTOR_NODE}:5050/v1/continue systemd.journald.forward_to_console=yes ipa-api-url=http://{IRONIC_NODE}:6385
 
ipappend 3
    • {IRONIC_INSPECTOR_NODE} indicates the IP address of the node where the ironic-inspector service is deployed. In this example, {IRONIC_INSPECTOR_NODE} is 172.24.66.254, that is, the IP address of br-inspector.
    • {IRONIC_NODE} indicates the IP address of the node where the ironic service is deployed. In this example, {IRONIC_NODE} is 172.24.66.254, that is, the IP address of br-inspector.
  9. Configure the ironic-inspector-dhcp service.

    Add the following content to the /etc/ironic-inspector/dnsmasq.conf file:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    		 
    interface={BR-inspect}
dhcp-range=172.24.66.100,172.24.66.250
 
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
dhcp-match=aarch64, option:client-arch, 11 #aarch64
tftp-root=/tftpboot/inspector
dhcp-boot=tag:aarch64,grubaa64.efi
dhcp-boot=tag:!aarch64,tag:efi,grubx64.efi
dhcp-boot=tag:!aarch64,tag:!efi,pxelinux.0
dhcp-sequential-ip

    BR-inspect is the bridge used by inspector-dnsmasq, which is br-inspector in this section. The IP address range specified by dhcp-range must be in the same network segment as the IP address configured for br-inspector in section 5.5.1.1.

  10. Configure the Ironic service.
    1. Add the following content to the /etc/ironic/ironic.conf file: 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
      		 
      [inspector]
enabled = true
region_name = RegionOne
cafile = /opt/stack/data/ca-bundle.pem
project_domain_id = default
user_domain_id = default
project_name = service
password = PASSWORD
username = ironic
auth_url = http://controller:5000/v3/
auth_type = password

      In this document, all passwords are represented as PASSWORD. Use the actual password during the operation. PASSWORD indicates the password of the ironic-inspector user set in 2.

    2. Restart the service. 
      1
      		 
      sudo systemctl restart openstack-ironic-conductor
  11. Modify permissions on directories and files.
    1
2
    		 
    sudo chown -R ironic /tftpboot/inspector
sudo chmod -R 755  /tftpboot/inspector
  12. Synchronize the ironic-inspector database.
    1
    		 
    ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade
  13. Start the service.
    1
2
    		 
    systemctl enable openstack-ironic-inspector
systemctl start openstack-ironic-inspector

    The inspector DHCP service does not distinguish MAC addresses. Therefore, if the inspector DHCP service is used on a flat network, it conflicts with neutron-dhcp-agent. Therefore, for a flat network, it is advised to perform the inspector and provision operations separately. Start the openstack-ironic-inspector-dnsmasq service as required.