Difference between revisions of "Ironic-at-home"

Latest revision as of 17:25, 25 November 2023

Having quite a number of assorted servers, it would be nice to be able to do OS installation tasks automatically and in a consistent fashion across the board. There are many tools available to achieve this end, but being an OpenStack fan, I have decided to try out the OpenStack Ironic solution.

Now, being an OpenStack project, Ironic is dependent on a quite a few other OpenStack components. These include AMQP messaging (RabbitMQ), the OpenStack identity service (Keystone), as well as the OpenStack compute, network, block storage, and image services (Nova, Neutron, Cinder, and Glance)

All server state changes will be done by leveraging the existing Salt infrastructure. And for the time being, the Debian 11 packaged OpenStack components are being installed.

What follows is a bit of a build-log of the Salt states for software installation and configuration. And maybe some diving into rabbit holes as we go...

The AMQP broker (RabbitMQ) has been installed. No configuration so far.
The PostgreSQL database server has been installed. Configuration so far:
- PostgreSQL is configured with to listen on all IP interfaces
- TLS (at least v1.2) communications is required
- A locally generated set of Diffie Hellman parameters is in use
- A locally generated 4096 bit RSA key is created
- A corresponding self-signed X.509 certificate is created, too
Keystone is being installed. Configuration so far:
- A directory to store Fernet keys is created
- IPv6 listener is configured on TCP port 5000 for the UWSGI wrapper
- A 4096-bit RSA private key is generated
- A corresponding self-signed X.509 certificate is created, too
- Permissions on the private key file are set to 0400, owner keystone, group keystone.
- An IPv6 TLS-enabled listener is configured on TCP port 5001 for the UWSGI wrapper
- The keystone configuration file is set to use the PostgreSQL database as specified using Salt Pillars
- the python3-keystoneclient package is installed, enabling a shell user to do such things as generate tokens on the command line
A Keystone bootstrap state has been created which does the following:
- Create a PostgreSQL database user as specified in the Salt Pillar
- Create a PostgreSQL database owned by the just-created user
- Initializes the database schema (and tests the keystone configuration file settings)
- Creates initial Fernet keys
- Populates the Keystone database with credentials for the Keystone admin user and project (as specified in the Salt Pillars)
Internet-facing HAproxy systems are configured to listen for Keystone connections.
- The plain text port (5000) always redirects the client the the TLSified port (5001)
- A LetsEncrypt managed TLS certificate is in use on the Internet facing TLSified port (5001)
- The TLSified front-end communicates only with the TLSified Keystone UWSGI service. No plain-text traffic over the wire.

@@ Line 3: / Line 3: @@
 Now, being an OpenStack project, Ironic is dependent on a quite a few other OpenStack components.  These include AMQP messaging (RabbitMQ), the OpenStack identity service (Keystone), as well as the OpenStack compute, network, block storage, and image services (Nova, Neutron, Cinder, and Glance)
-All server state changes will be done by leveraging the existing Salt infrastructure.
+All server state changes will be done by leveraging the existing Salt infrastructure.  And for the time being, the Debian 11 packaged OpenStack components are being installed.
 What follows is a bit of a build-log of the Salt states for software installation and configuration.  And maybe some diving into rabbit holes as we go...
+* The AMQP broker (RabbitMQ) has been installed.  No configuration so far.
+* The PostgreSQL database server has been installed.  Configuration so far:
+** PostgreSQL is configured with to listen on all IP interfaces
+** TLS (at least v1.2) communications is required
+** A locally generated set of Diffie Hellman parameters is in use
+** A locally generated 4096 bit RSA key is created
+** A corresponding self-signed X.509 certificate is created, too
+* Keystone is being installed.  Configuration so far:
+** A directory to store Fernet keys is created
+** IPv6 listener is configured on TCP port 5000 for the UWSGI wrapper
+** A 4096-bit RSA private key is generated
+** A corresponding self-signed X.509 certificate is created, too
+** Permissions on the private key file are set to 0400, owner keystone, group keystone.
+** An IPv6 TLS-enabled listener is configured on TCP port 5001 for the UWSGI wrapper
+** The keystone configuration file is set to use the PostgreSQL database as specified using Salt Pillars
+** the python3-keystoneclient package is installed, enabling a shell user to do such things as generate tokens on the command line
+* A Keystone bootstrap state has been created which does the following:
+** Create a PostgreSQL database user as specified in the Salt Pillar
+** Create a PostgreSQL database owned by the just-created user
+** Initializes the database schema (and tests the keystone configuration file settings)
+** Creates initial Fernet keys
+** Populates the Keystone database with credentials for the Keystone admin user and project (as specified in the Salt Pillars)
+* Internet-facing HAproxy systems are configured to listen for Keystone connections.
+** The plain text port (5000) always redirects the client the the TLSified port (5001)
+** A LetsEncrypt managed TLS certificate is in use on the Internet facing TLSified port (5001)
+** The TLSified front-end communicates only with the TLSified Keystone UWSGI service.  No plain-text traffic over the wire.

Difference between revisions of "Ironic-at-home"

Latest revision as of 17:25, 25 November 2023

Navigation menu

Search