openstack/ironic
Code Issues Proposed changes
Files
beaaf405d3a6e1195ab0260eeed4a416f59ab028
ironic/doc/source/install/standalone/configure.rst
Steve Baker beaaf405d3 Add ironic-novncproxy service 
This is a forklift of the nova novncproxy service to act as the noVNC
front-end to graphical consoles.

The service does the following:
- serves noVNC web assets for the browser based VNC client
- creates a websocket to proxy VNC traffic to an actual VNC server
- decouples authentication traffic so that the source server can have
  a different authentication method than the browser client

The forklifted code has been adapted to Ironic conventions, including:
- [vnc] config options following Ironic conventions and using existing
  config options where appropriate
- Removing the unnecessary authentication method VeNCrypt, leaving only
  the None auth method.
- Adapting the ironic-novncproxy command to use Ironic's service launch
  approach, allowing it to be started as part of the all-in-one ironic
- Replace Nova's approach of looking up the instance via the token.
  Instead the node UUID is included in the websocket querystring
  alongside the token
- Removing cookie fallback when token is missing from querystring
- Removing expected protocol validation in the websocket handshake
- Removing internal access path support
- Removing enforce_session_timeout as this will be done at the
  container level

Related-Bug: 2086715
Change-Id: I575a8671e2262408ba1d690cfceabe992c2d4fef
2025-02-19 20:17:57 +00:00

3.8 KiB
Raw Blame History

Configuration

This guide covers manual configuration of the Bare Metal service in the standalone mode. Alternatively, Bifrost can be used for automatic configuration.

Service settings

It is possible to use the Bare Metal service without other OpenStack services. You should make the following changes to /etc/ironic/ironic.conf:

  1. Choose an authentication strategy which supports standalone, one option is noauth:

    [DEFAULT]
auth_strategy=noauth

    Another option is http_basic where the credentials are stored in an Apache htpasswd format file:

    [DEFAULT]
auth_strategy=http_basic
http_basic_auth_user_file=/etc/ironic/htpasswd

    Only the bcrypt format is supported, and the Apache htpasswd utility can be used to populate the file with entries, for example:

    htpasswd -nbB myName myPassword >> /etc/ironic/htpasswd

  2. If you want to disable the Networking service, you should have your network pre-configured to serve DHCP and TFTP for machines that you're deploying. To disable it, change the following lines:

    [dhcp]
dhcp_provider=none

    Note

    If you disabled the Networking service and the driver that you use is supported by at most one conductor, PXE boot will still work for your nodes without any manual config editing. This is because you know all the DHCP options that will be used for deployment and can set up your DHCP server appropriately.

    If you have multiple conductors per driver, it would be better to use Networking since it will do all the dynamically changing configurations for you.

  3. If you want to disable using a messaging broker between conductor and API processes, switch to JSON RPC instead:

    [DEFAULT]
rpc_transport = json-rpc

    JSON RPC also has its own authentication strategy. If it is not specified then the strategy defaults to [DEFAULT] auth_strategy. The following will set JSON RPC to noauth:

    [json_rpc]
auth_strategy = noauth

    For http_basic the conductor server needs a credentials file to validate requests:

    [json_rpc]
auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd-json-rpc

    The API server also needs client-side credentials to be specified:

    [json_rpc]
auth_type = http_basic
username = myName
password = myPassword

  4. Starting with the Yoga release series, you can use a combined API+conductor+novncproxy service and completely disable the RPC. Set

    [DEFAULT]
rpc_transport = none

    and use the ironic executable to start the combined service.

    Note

    The combined service also works with RPC enabled, which can be useful for some deployments, but may not be advisable for all security models.

Using CLI

To use the baremetal CLI <cli/osc_plugin_cli.html>, set up these environment variables. If the noauth authentication strategy is being used, the value none must be set for OS_AUTH_TYPE. OS_ENDPOINT is the URL of the ironic-api process. For example:

export OS_AUTH_TYPE=none
export OS_ENDPOINT=http://localhost:6385/

If the http_basic authentication strategy is being used, the value http_basic must be set for OS_AUTH_TYPE. For example:

export OS_AUTH_TYPE=http_basic
export OS_ENDPOINT=http://localhost:6385/
export OS_USERNAME=myUser
export OS_PASSWORD=myPassword