docs: add context around bmc password changes
Change-Id: I081af9efc7aea35a876e79e9444dad8ff91e9692 Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
This commit is contained in:
Julia Kreger
@@ -96,10 +96,10 @@ Power fault and recovery
|
||||
========================
|
||||
|
||||
When `Baremetal Power Sync`_ is enabled, and the Bare Metal service loses
|
||||
access to a node (usually because of invalid credentials, BMC issues or
|
||||
networking interruptions), the node enters ``maintenance`` mode and its
|
||||
``fault`` field is set to ``power failure``. The exact reason is stored in the
|
||||
``maintenance_reason`` field.
|
||||
access to a node (usually because of invalid credentials due to rotation,
|
||||
BMC issues or networking interruptions), the node enters ``maintenance``
|
||||
mode and its ``fault`` field is set to ``power failure``. The exact reason
|
||||
is stored in the ``maintenance_reason`` field.
|
||||
|
||||
As always with maintenance mode, only a subset of operations will work on such
|
||||
nodes, and both the Compute service and the Ironic's native allocation API will
|
||||
|
||||
@@ -446,6 +446,49 @@ be tuned using the :oslo.config:option:`DEFAULT.minimum_required_memory` setting
|
||||
Operators with a higher level of concurrency may wish to increase the
|
||||
default value.
|
||||
|
||||
BMC Credentials
|
||||
---------------
|
||||
|
||||
Due to the nature of Ironic and the use of Baseboard Management Controllers
|
||||
to manage physical machines, Ironic has to be supplied with current credentials
|
||||
for each node it manages.
|
||||
|
||||
Ironic utilizes the credentials to perform actions on behalf of the API user
|
||||
in a manor which is both delineated and removes the need for external users
|
||||
to know the credentials. With this Ironic also monitors and helps enforce the
|
||||
requested power state of the remote machine, as well as to collect any sensor
|
||||
data when Ironic is configured to collect such data.
|
||||
|
||||
Should the credentials for baremetal nodes under Ironic's management
|
||||
need to be changed, the credentials must also be updated in Ironic itself
|
||||
by updating the appropriate driver specific credential parameters on each
|
||||
baremetal node.
|
||||
|
||||
Under a normal sequence of events, Ironic will pickup the new credentials
|
||||
for the next management operation which is typically the power state sync.
|
||||
If the credentials are wrong or have the wrong level of access, then the node
|
||||
will enter a maintenance state automatically and a fault will be recorded.
|
||||
For more context on the power state sync and power fault recover, please
|
||||
see :doc:`/admin/power-sync`. When this issue has been corrected with the
|
||||
credential, modern Ironic users should find the node recover automatically.
|
||||
|
||||
.. warning::
|
||||
Operators re-using the same credentials with a centrally managed credential
|
||||
management system with separate BMC configuration should be careful about
|
||||
credential rotations. These operators risk causing the account to access the
|
||||
BMC to be locked out, and should likely explicitly set nodes to ``maintenance``
|
||||
state prior to rotating credentials, and afterward unset the maintenance
|
||||
state. This is to avoid locking out access if the same username is utilized
|
||||
across the credential rotation. An alternative pattern is to create a *new*
|
||||
user, and rotate the nodes in Ironic by resetting the driver specific
|
||||
parameter with the new user name and password.
|
||||
|
||||
The Ironic project recommends:
|
||||
|
||||
* Unique passwords be used for each baremetal node.
|
||||
* Operators leverage good password practices by not re-using the credentials
|
||||
for other tools or systems.
|
||||
|
||||
Disk Images
|
||||
===========
|
||||
|
||||
|
||||
@@ -1392,3 +1392,69 @@ The net result is the best criteria to match on is:
|
||||
.. NOTE: Centos Stream-9 appears to have a probe_type="sync" option which
|
||||
reverts this behavior. For more information please see
|
||||
this `centos stream-9 changeset <https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2819/diffs?commit_id=a93f405246083f0c2e81d0e6c37ba31c6c1b29c3>`_.
|
||||
|
||||
I changed the BMC password, and now a node is in maintenance state.
|
||||
===================================================================
|
||||
|
||||
Ironic automatically checks access to a remote BMC utilizing the configured
|
||||
credentials for the driver. Depending on the driver in use, this can vary
|
||||
in field name, but these fields are set in each node's ``driver_info``
|
||||
parameter and must be reset.
|
||||
|
||||
Once the credential issue has been resolved, Ironic automatically moves
|
||||
the node out of maintenance state upon the next attempt to check the power
|
||||
state. Please review :doc:`/admin/power-sync` for more information, however
|
||||
an operator can also explicitly unset the maintenance state as well, and
|
||||
the examples below are detailed as such.
|
||||
|
||||
For example, with Redfish...
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack baremetal node set --driver-info redfish_username=<new_user> --driver-info redfish_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node maintenance unset <node_uuid>
|
||||
|
||||
For example, with IPMI...
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack baremetal node set --driver-info ipmi_username=<new_user> --driver-info ipmi_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node maintenance unset <node_uuid>
|
||||
|
||||
For example, with iDRAC drivers...
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack baremetal node set --driver-info drac_username=<new_user> --driver-info drac_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node set --driver-info redfish_username=<new_user> --driver-info redfish_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node maintenance unset <node_uuid>
|
||||
|
||||
.. note::
|
||||
The ``drac_username`` and ``drac_password`` parameters were used by WSMAN
|
||||
Dell iDRAC drivers. Newer versions of the drivers utilize Redfish natively.
|
||||
|
||||
For example, with iLO drivers...
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack baremetal node set --driver-info ilo_username=<new_user> --driver-info ilo_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node maintenance unset <node_uuid>
|
||||
|
||||
For example, with iRMC drivers...
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack baremetal node set --driver-info irmc_username=<new_user> --driver-info irmc_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node set --driver-info redfish_username=<new_user> --driver-info redfish_password=<new_pass> <node_uuid>
|
||||
$ openstack baremetal node set --driver-info irmc_snmp_user=<new_user> --driver-info irmc_snmp_auth_password=<new_auth_pass> --driver-info irmc_snmp_priv_password=<new_priv_password> <node_uuid>
|
||||
$ openstack baremetal node maintenance unset <node_uuid>
|
||||
|
||||
.. note::
|
||||
iRMC drivers utilize a mix of protocols and can have explicit credentials
|
||||
set for each protocol utilized.
|
||||
|
||||
.. note::
|
||||
Ironic generally does not manage or rotate the remote BMC credentials due
|
||||
to the risk of user lockout if the account is not for the specific use of
|
||||
Ironic. Some vendor drivers have added this functionality, however such
|
||||
actions should be made with caution.
|
||||
|
||||
Reference in New Issue
Block a user