openstack/ironic
Code Issues Proposed changes
Files
a65ea27aa4fd1c80f896e23cfd64e874da9a6f4e
ironic/doc/source/install/standalone/configure.rst
Dmitry Tantsur 3831464751 Switch from local RPC to automated JSON RPC on localhost 
Change-Id: I4a245b3820f8054cb8e6b716aa101aeb3876e504
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
2025-07-21 18:15:17 +02:00

4.2 KiB
Raw Blame History

Configuration

This guide covers manual configuration of the Bare Metal service in the standalone mode. Alternatively, Bifrost can be used for automatic configuration.

Service settings

It is possible to use the Bare Metal service without other OpenStack services. You should make the following changes to /etc/ironic/ironic.conf:

  1. Choose an authentication strategy which supports standalone, one option is noauth:

    [DEFAULT]
auth_strategy=noauth

    Another option is http_basic where the credentials are stored in an Apache htpasswd format file:

    [DEFAULT]
auth_strategy=http_basic
http_basic_auth_user_file=/etc/ironic/htpasswd

    Only the bcrypt format is supported, and the Apache htpasswd utility can be used to populate the file with entries, for example:

    htpasswd -nbB myName myPassword >> /etc/ironic/htpasswd

  2. If you want to disable the Networking service, you should have your network pre-configured to serve DHCP and TFTP for machines that you're deploying. To disable it, change the following lines:

    [dhcp]
dhcp_provider=none

    Note

    If you disabled the Networking service and the driver that you use is supported by at most one conductor, PXE boot will still work for your nodes without any manual config editing. This is because you know all the DHCP options that will be used for deployment and can set up your DHCP server appropriately.

    If you have multiple conductors per driver, it would be better to use Networking since it will do all the dynamically changing configurations for you.

  3. If you want to disable using a messaging broker between conductor and API processes, switch to JSON RPC instead:

    [DEFAULT]
rpc_transport = json-rpc

    JSON RPC also has its own authentication strategy. If it is not specified then the strategy defaults to [DEFAULT] auth_strategy. The following will set JSON RPC to noauth:

    [json_rpc]
auth_strategy = noauth

    For http_basic the conductor server needs a credentials file to validate requests:

    [json_rpc]
auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd-json-rpc

    The API server also needs client-side credentials to be specified:

    [json_rpc]
auth_type = http_basic
username = myName
password = myPassword

  4. To make graphical consoles available for local viewing, set the following, including an appropriate container image reference for console_image.

    [vnc]
enabled=True
port=6090
host_ip=127.0.0.1
public_url=http://127.0.0.1:6090/vnc_lite.html
container_provider=systemd
console_image=<image reference>

  5. Starting with the Yoga release series, you can use a combined API+conductor+novncproxy service with the local RPC. Set

    [DEFAULT]
rpc_transport = none

    and use the ironic executable to start the combined service.

    Note

    The combined service also works with RPC enabled, which can be useful for some deployments, but may not be advisable for all security models.

Using CLI

To use the baremetal CLI <cli/osc_plugin_cli.html>, set up these environment variables. If the noauth authentication strategy is being used, the value none must be set for OS_AUTH_TYPE. OS_ENDPOINT is the URL of the ironic-api process. For example:

export OS_AUTH_TYPE=none
export OS_ENDPOINT=http://localhost:6385/

If the http_basic authentication strategy is being used, the value http_basic must be set for OS_AUTH_TYPE. For example:

export OS_AUTH_TYPE=http_basic
export OS_ENDPOINT=http://localhost:6385/
export OS_USERNAME=myUser
export OS_PASSWORD=myPassword