File ironic-config.obscpio of Package ironic-image
07070100000000000081a400000000000000000000000168ee4b310000034c000000000000000000000000000000000000002300000000ironic-config/apache2-ipxe.conf.j2Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
Listen [::]:{{ env.IPXE_TLS_PORT }}
<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IPXE_CERT_FILE }}
SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
<Directory "/shared/html">
Order Allow,Deny
Allow from all
</Directory>
<Directory "/shared/html/(redfish|ilo|images)/">
Order Deny,Allow
Deny from all
</Directory>
</VirtualHost>
<Location ~ "^/grub.*/">
SSLRequireSSL
</Location>
<Location ~ "^/pxelinux.cfg/">
SSLRequireSSL
</Location>
<Location ~ "^/.*\.conf/">
SSLRequireSSL
</Location>
<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
SSLRequireSSL
</Location>
07070100000001000081a400000000000000000000000168ee4b310000055e000000000000000000000000000000000000002500000000ironic-config/apache2-vmedia.conf.j2Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
Listen [::]:{{ env.VMEDIA_TLS_PORT }}
<VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
{% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
{% endif %}
{% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
{% endif %}
{% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
{% endif %}
{% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
SSLHonorCipherOrder on
{% endif %}
<Directory "/shared/html/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory ~ "/shared/html/(redfish|ilo)/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<Location ~ "^/(redfish|ilo)/">
SSLRequireSSL
</Location>
07070100000002000081a400000000000000000000000168ee4b3100000a8c000000000000000000000000000000000000001e00000000ironic-config/dnsmasq.conf.j2interface={{ env.PROVISIONING_INTERFACE }}
bind-dynamic
enable-tftp
tftp-root=/shared/tftpboot
log-queries
dhcp-leasefile=/data/dnsmasq/dnsmasq.leases
# Configure listening for DNS (0 disables DNS)
port={{ env.DNS_PORT }}
{%- if env.DHCP_RANGE | length %}
log-dhcp
dhcp-range={{ env.DHCP_RANGE }}
# It can be used when setting DNS or GW variables.
{%- if env["GATEWAY_IP"] is undefined %}
# Disable default router(s)
dhcp-option=3
{% else %}
dhcp-option=option{% if ":" in env["GATEWAY_IP"] %}6{% endif %}:router,{{ env["GATEWAY_IP"] }}
{% endif %}
{%- if env["DNS_IP"] is undefined %}
# Disable DNS over provisioning network
dhcp-option=6
{% else %}
dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
{% endif %}
{%- if env.IPV == "4" or env.IPV is undefined %}
# IPv4 Configuration:
dhcp-match=ipxe,175
# Client is already running iPXE; move to next stage of chainloading
{%- if env.IPXE_TLS_SETUP == "true" %}
# iPXE with (U)EFI
dhcp-boot=tag:efi,tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/snponly.efi
# iPXE with BIOS
dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/undionly.kpxe
{% else %}
dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
{% endif %}
# Note: Need to test EFI booting
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
dhcp-match=set:efi,option:client-arch,11
# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
{%- if env.IPXE_TLS_SETUP == "true" %}
dhcp-boot=tag:efi,tag:ipxe,snponly.efi
{% endif %}
dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
# Client is running PXE over BIOS; send BIOS version of iPXE chainloader
dhcp-boot=/undionly.kpxe,{{ env.IRONIC_IP }}
{% endif %}
{% if env.IPV == "6" %}
# IPv6 Configuration:
enable-ra
ra-param={{ env.PROVISIONING_INTERFACE }},0,0
dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
dhcp-userclass=set:ipxe6,iPXE
dhcp-option=tag:pxe6,option6:bootfile-url,{{ env.IRONIC_TFTP_URL }}/snponly.efi
dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
# It can be used when setting DNS or GW variables.
{%- if env["GATEWAY_IP"] is undefined %}
# Disable default router(s)
dhcp-option=3
{% else %}
dhcp-option=3,{{ env["GATEWAY_IP"] }}
{% endif %}
{%- if env["DNS_IP"] is undefined %}
# Disable DNS over provisioning network
dhcp-option=6
{% else %}
dhcp-option=6,{{ env["DNS_IP"] }}
{% endif %}
{% endif %}
{% endif %}
{%- if env.DHCP_IGNORE | length %}
dhcp-ignore={{ env.DHCP_IGNORE }}
{% endif %}
{%- if env.DHCP_HOSTS | length %}
{%- for item in env.DHCP_HOSTS.split(";") %}
dhcp-host={{ item }}
{%- endfor %}
{% endif %}
07070100000003000081a400000000000000000000000168ee4b31000009da000000000000000000000000000000000000002700000000ironic-config/httpd-ironic-api.conf.j2# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
<VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
{% else %}
{% if env.ENABLE_IPV4 %}
Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
{% endif %}
{% if env.ENABLE_IPV6 %}
Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
{% endif %}
{% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
<VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
{% else %}
<VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
{% endif %}
{% endif %}
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
ProxyPassReverse "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
{% else %}
ProxyPass "/" "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
{% endif %}
SetEnv APACHE_RUN_USER ironic-suse
SetEnv APACHE_RUN_GROUP ironic-suse
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
{% if env.IRONIC_TLS_SETUP == "true" %}
SSLEngine on
SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
{% endif %}
<Location />
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
AuthName "Restricted area"
AuthUserFile {{ env.HTPASSWD_FILE }}
Require valid-user
{% endif %}
</Location>
<Location ~ "^/(v1/?)?$" >
Require all granted
</Location>
<Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
Require all granted
</Location>
</VirtualHost>
07070100000004000081a400000000000000000000000168ee4b31000004ad000000000000000000000000000000000000002100000000ironic-config/httpd-modules.conf# Bare minimum set of modules
LoadModule log_config_module /usr/lib64/apache2/mod_log_config.so
LoadModule mime_module /usr/lib64/apache2/mod_mime.so
LoadModule dir_module /usr/lib64/apache2/mod_dir.so
LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
#LoadModule unixd_module modules/mod_unixd.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
LoadModule env_module /usr/lib64/apache2/mod_env.so
LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
LoadModule proxy_ajp_module /usr/lib64/apache2/mod_proxy_ajp.so
LoadModule proxy_balancer_module /usr/lib64/apache2/mod_proxy_balancer.so
LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
LoadModule slotmem_shm_module /usr/lib64/apache2/mod_slotmem_shm.so
LoadModule headers_module /usr/lib64/apache2/mod_headers.so
LoadModule authn_core_module /usr/lib64/apache2/mod_authn_core.so
LoadModule auth_basic_module /usr/lib64/apache2/mod_auth_basic.so
LoadModule authn_file_module /usr/lib64/apache2/mod_authn_file.so
LoadModule authz_user_module /usr/lib64/apache2/mod_authz_user.so
#LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so
07070100000005000081a400000000000000000000000168ee4b310000087c000000000000000000000000000000000000001c00000000ironic-config/httpd.conf.j2ServerRoot {{ env.HTTPD_DIR }}
{%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen 0.0.0.0:{{ env.HTTP_PORT }}
Listen [::]:{{ env.HTTP_PORT }}
{% else %}
{% if env.ENABLE_IPV4 %}
Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
{% endif %}
{% if env.ENABLE_IPV6 %}
Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
{% endif %}
{% endif %}
Include /etc/httpd/conf.modules.d/*.conf
User ironic-suse
Group ironic-suse
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/shared/html"
<Directory "/shared/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
{%- if env.HTTPD_SERVE_NODE_IMAGES | lower == "true" %}
<Directory "/shared/html/images">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
{% endif %}
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "/dev/stderr"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "/dev/stderr" combined
</IfModule>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
PidFile /var/tmp/httpd.pid
# EnableSendfile directive could speed up deployments but it could also cause
# issues depending on the underlying file system, to learn more:
# https://httpd.apache.org/docs/current/mod/core.html#enablesendfile
{%- if env.HTTPD_ENABLE_SENDFILE | lower == "true" %}
EnableSendfile on
{% endif %}
# http TRACE can be subjected to abuse and should be disabled
TraceEnable off
# provide minimal server information
ServerTokens Prod
ServerSignature Off
IncludeOptional conf.d/*.conf
07070100000006000081a400000000000000000000000168ee4b3100000393000000000000000000000000000000000000002000000000ironic-config/inspector.ipxe.j2#!ipxe
:retry_boot
echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure={{ env.IPA_INSECURE }} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent-${buildarch}.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
boot
07070100000007000081a400000000000000000000000168ee4b3100000e41000000000000000000000000000000000000002300000000ironic-config/ipxe_config.template#!ipxe
set attempts:int32 10
set i:int32 0
goto deploy
:deploy
imgfree
{%- if pxe_options.deployment_aki_path %}
{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
{%- endif %}
{%- if pxe_options.deployment_ari_path %}
{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
{%- endif %}
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
boot
:retry
iseq ${i} ${attempts} && goto fail ||
inc i
echo No response, retrying in ${i} seconds.
sleep ${i}
goto deploy
:fail
echo Failed to get a response after ${attempts} attempts
echo Powering off in 30 seconds.
sleep 30
poweroff
:boot_anaconda
imgfree
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
boot
:boot_ramdisk
imgfree
{%- if pxe_options.boot_iso_url %}
sanboot {{ pxe_options.boot_iso_url }}
{%- else %}
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
boot
{%- endif %}
{%- if pxe_options.boot_from_volume %}
:boot_iscsi
imgfree
{% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
{% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
{% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
{%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
set username {{ volume.username }}
set password {{ volume.password }}
{%- set drive_id = 129 + i %}
sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
{%- endfor %}{% endif %}
{% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
{% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
sanboot --no-describe || goto fail_iscsi_retry
:fail_iscsi_retry
echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
sleep 10
goto boot_iscsi
{%- endif %}
:boot_whole_disk
sanboot --no-describe || exit 0
07070100000008000081a400000000000000000000000168ee4b31000029af000000000000000000000000000000000000001d00000000ironic-config/ironic.conf.j2[DEFAULT]
auth_strategy = noauth
debug = true
default_deploy_interface = direct
default_inspect_interface = agent
default_network_interface = noop
enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
enabled_firmware_interfaces = no-firmware,fake,redfish
# NOTE(dtantsur): when changing this, make sure to update the driver
# dependencies in Dockerfile.
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
enabled_network_interfaces = noop
enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
rpc_transport = json-rpc
{% else %}
rpc_transport = none
{% endif %}
use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256
{% if env.ENABLE_IPV4 %}
my_ip = {{ env.IRONIC_IP }}
{% endif %}
{% if env.ENABLE_IPV6 %}
my_ipv6 = {{ env.IRONIC_IPV6 }}
{% endif %}
host = {{ env.IRONIC_CONDUCTOR_HOST }}
tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
# If a path to a certificate is defined, use that first for webserver
{% if env.WEBSERVER_CACERT_FILE %}
webserver_verify_ca = {{ env.WEBSERVER_CACERT_FILE }}
{% elif env.IRONIC_INSECURE == "true" %}
webserver_verify_ca = false
{% endif %}
isolinux_bin = /usr/share/syslinux/isolinux.bin
# NOTE(dtantsur): this path is specific to the GRUB image that is built into
# the ESP provided in [conductor]bootloader.
grub_config_path = EFI/BOOT/grub.cfg
[agent]
deploy_logs_collect = always
deploy_logs_local_path = /shared/log/ironic/deploy
# NOTE(dtantsur): in some environments temporary networking issues can cause
# the whole deployment to fail on inability to reach the ramdisk. Increasing
# retries here works around such problems without affecting the normal path.
# See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
max_command_attempts = 30
certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
[api]
{% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
unix_socket = /shared/ironic.sock
# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
# another container, we need to make it world-writeable.
unix_socket_mode = 0666
{% else %}
host_ip = 127.0.0.1
port = {{ env.IRONIC_PRIVATE_PORT }}
{% endif %}
public_endpoint = {{ env.IRONIC_BASE_URL }}
{% else %}
host_ip = {{ env.IRONIC_HOST_IP }}
port = {{ env.IRONIC_LISTEN_PORT }}
{% if env.IRONIC_TLS_SETUP == "true" %}
enable_ssl_api = true
{% endif %}
{% endif %}
api_workers = {{ env.NUMWORKERS }}
# Disable schema validation so we can pass nmstate format
network_data_schema = /etc/ironic/network-data-schema-empty.json
[conductor]
automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}
# NOTE(dtantsur): keep aligned with [pxe]boot_retry_timeout below.
deploy_callback_timeout = 4800
send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# NOTE(TheJulia): Do not lower this value below 120 seconds.
# Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds.
send_sensor_data_interval = 160
bootloader_by_arch = {{ env.BOOTLOADER_BY_ARCH }}
verify_step_priority_override = management.clear_job_queue:90
# We don't use this feature, and it creates an additional load on the database
node_history = False
# Provide for a timeout longer than 60 seconds for certain vendor's hardware
power_state_change_timeout = 120
{% if env.DEPLOY_KERNEL_URL is defined %}
deploy_kernel = {{ env.DEPLOY_KERNEL_URL }}
{% endif %}
{% if env.DEPLOY_KERNEL_BY_ARCH is defined %}
deploy_kernel_by_arch = {{ env.DEPLOY_KERNEL_BY_ARCH }}
{% endif %}
{% if env.DEPLOY_RAMDISK_URL is defined %}
deploy_ramdisk = {{ env.DEPLOY_RAMDISK_URL }}
{% endif %}
{% if env.DEPLOY_RAMDISK_BY_ARCH is defined %}
deploy_ramdisk_by_arch = {{ env.DEPLOY_RAMDISK_BY_ARCH }}
{% endif %}
{% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
disable_deep_image_inspection = True
{% endif %}
[database]
{% if env.IRONIC_USE_MARIADB | lower == "true" %}
connection = {{ env.MARIADB_CONNECTION }}
{% else %}
connection = {{ env.LOCAL_DB_URI }}
# Synchronous mode is required for data integrity in case of operating system
# crash. In our case we restart the container from scratch, so we can save some
# IO by not doing syncs all the time.
sqlite_synchronous = False
{% endif %}
[deploy]
default_boot_option = local
erase_devices_metadata_priority = 10
erase_devices_priority = 0
http_root = /shared/html/
http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
fast_track = {{ env.IRONIC_FAST_TRACK }}
{% if env.IRONIC_BOOT_ISO_SOURCE %}
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
{% endif %}
{% if env.IRONIC_EXTERNAL_HTTP_URL %}
external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
{% elif env.VMEDIA_TLS_PORT %}
external_http_url = {{ env.IRONIC_HTTPS_VMEDIA_URL }}
{% endif %}
{% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
{% endif %}
[dhcp]
dhcp_provider = none
[inspector]
# NOTE(dtantsur): we properly configure the "unmanaged" inspection boot (i.e.
# booting IPA through a separate inspector.ipxe rather than the driver's boot
# interface), so managed boot is not required.
require_managed_boot = False
power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
# NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
# Also keep in mind that only parameters unique for inspection go here.
# No need to duplicate pxe_append_params/kernel_append_params.
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
hooks = $default_hooks,parse-lldp
add_ports = all
keep_ports = present
[auto_discovery]
enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
driver = ipmi
[ipmi]
# use_ipmitool_retries transfers the responsibility of retrying to ipmitool
# when supported. If set to false, then ipmitool is called as follows :
# $ipmitool -R 1 -N 1 ...
# and Ironic handles the retry loop.
use_ipmitool_retries = false
# The following parameters are the defaults in Ironic. They are used in the
# following way if use_ipmitool_retries is set to true:
# $ipmitool -R <X> -N <Y> ...
# where :
# X = command_retry_timeout / min_command_interval
# Y = min_command_interval
# If use_ipmitool_retries is false, then ironic retries X times, with an
# interval of Y in between each tries.
min_command_interval = 5
command_retry_timeout = 60
# List of possible cipher suites versions that can be
# supported by the hardware in case the field `cipher_suite`
# is not set for the node. (list value)
cipher_suite_versions = 3,17
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
[json_rpc]
# We assume that when we run API and conductor in the same container, they use
# authentication over localhost, using the same credentials as API, to prevent
# unauthenticated connections from other processes in the same host since the
# containers are in host networking.
auth_strategy = http_basic
http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
host_ip = {{ env.IRONIC_HOST_IP }}
{% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }}
insecure = {{ env.IRONIC_INSECURE }}
{% endif %}
{% endif %}
[nova]
send_power_notifications = false
[pxe]
# NOTE(dtantsur): keep this value at least 3x lower than
# [conductor]deploy_callback_timeout so that at least some retries happen.
# The default settings enable 3 retries after 20 minutes each.
boot_retry_timeout = 1200
images_path = /shared/html/tmp
instance_master_path = /shared/html/master_images
tftp_master_path = /shared/tftpboot/master_images
tftp_root = /shared/tftpboot
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
# This makes networking boot templates generated even for nodes using local
# boot (the default), ensuring that they boot correctly even if they start
# netbooting for some reason (e.g. with the noop management interface).
enable_netboot_fallback = true
# Enable the fallback path to in-band inspection
ipxe_fallback_script = inspector.ipxe
{% if env.IPXE_TLS_SETUP | lower == "true" %}
ipxe_config_template = /tmp/ipxe_config.template
{% endif %}
[redfish]
use_swift = false
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
[ilo]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
use_web_server_for_images = true
[irmc]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
[service_catalog]
endpoint_override = {{ env.IRONIC_BASE_URL }}
{% if env.IRONIC_TLS_SETUP == "true" %}
[ssl]
cert_file = {{ env.IRONIC_CERT_FILE }}
key_file = {{ env.IRONIC_KEY_FILE }}
{% endif %}
07070100000009000081a400000000000000000000000168ee4b3100000003000000000000000000000000000000000000002d00000000ironic-config/network-data-schema-empty.json{}
0707010000000a000041ed00000000000000000000000168ee4b3100000000000000000000000000000000000000000000000e00000000ironic-config07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!
