From 36468adfac42fd57a9217f99950eb269568f2148 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Tue, 23 May 2023 18:57:22 +0200 Subject: [PATCH] Define ipa-insecure=1 in LXC example In LXC example, the BMAAS network is not routable to any other networks nor to the internal VIP. It means that Ironic Python Agent(IPA) is not able to communicate with ironic API and ironic inspector over haproxy. To solve that issue, `ironic_inspector_callback_url` and `ironic_ironic_conf_overrides.service_catalog.endpoint_override` values were overriden to instruct IPA to communicate with ironic api/inspector backends directly on BMAAS network(instead of going via HAProxy on management network). It may cause a problem with certificate verification if these backends are listening on https because most likely they are using self-signed certificate. As a workaround, `ipa-insecure=1` kernel parameter[1] is added to IPA for both inspection and deployment. [1] https://docs.openstack.org/ironic-python-agent/latest/install/index.html#ipa-and-tls Change-Id: Idfb5a4e9bf4f39441fc99b5aa78500d6195e6da0 --- doc/source/configure-lxc-example.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/source/configure-lxc-example.rst b/doc/source/configure-lxc-example.rst index 1c46a9f3..7ee048f7 100644 --- a/doc/source/configure-lxc-example.rst +++ b/doc/source/configure-lxc-example.rst @@ -429,6 +429,10 @@ In ``/etc/openstack_deploy/user_variables_ironic.yml`` # as well as the mgmt interface for the loadbalancer ironic_uwsgi_bind_address: 0.0.0.0 + # Add ipa-insecure=1 to kernel parameters + # Needed when ironic endpoint is available over https with self-signed cert. + ironic_kernel_append_params: "ipa-debug=1 systemd.journald.forward_to_console=yes ipa-insecure=1" + # INI file overrides ironic_ironic_conf_overrides: # Disable full device erasure (slow) and just metadata erasure, and replace with "Express erasure" @@ -455,6 +459,10 @@ In ``/etc/openstack_deploy/user_variables_ironic.yml`` # instead of going via HAProxy on mgmt network. Only applies when bmaas network is isolated. ironic_inspector_callback_url: "{{ ironic_inspector_service_internaluri_proto }}://{{ container_networks['bmaas_address']['address'] }}:{{ ironic_inspector_service_port }}/v1/continue" + # Add ipa-insecure=1 to kernel parameters + # Needed when inspector is available over https with self-signed cert. + ironic_inspector_extra_callback_parameters: "ipa-collect-lldp=1 ipa-insecure=1" + # Ensure inspector API (using uwsgi) listens on br-bmaas for agent callbacks # as well as the mgmt interface for the loadbalancer ironic_inspector_service_address: "0.0.0.0"