openstack/ironic
Code Issues Proposed changes

Documentation for Security Groups for baremetal servers

Browse Source 
This patch updates the Ironic documentation to describe how to
configure security groups for baremetal servers.

Change-Id: I19b42f0fcecc7e4952de452e8576a1ad87e73b61
Closes-bug: 1594242
This commit is contained in:
Sukhdev Kapur 2016-11-04 16:55:49 -07:00
parent d69a3b6c58
commit 27b2453642
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
doc/source/deploy/multitenancy.rst
View File

@ -104,6 +104,38 @@ interface as stated above):
* if using iPXE, the egress port used for the HTTP server running * if using iPXE, the egress port used for the HTTP server running
on the ironic conductor nodes (typically 80). on the ironic conductor nodes (typically 80).
#. This step is optional and applicable only if you want to use security
groups during provisioning and/or cleaning of the nodes. If not specified,
default security groups are used.
First define security groups in neutron to be used for provisioning
and/or cleaning networks. Then add the list of these security group
UUIDs under the neutron section in ironic-conductor configuration file
as shown below::
[neutron]
...
cleaning_network=$CLEAN_UUID_OR_NAME
cleaning_network_security_groups=[$LIST_OF_CLEAN_SEC_GROUPS]
provisioning_network=$PROVISION_UUID_OR_NAME
provisioning_network_security_groups=[$LIST_OF_PROVISION_SEC_GROUPS]
Multiple security groups may be applied to a given network, hence,
they are specified as a list.
The same security group(s) could be used for both provisioning and
cleaning networks.
.. warning::
If security groups are configured as described above, do not
set the "port_security_enabled" flag to False for the corresponding
neutron network or port. This will cause the deploy to fail.
For example: if provisioning_network_security_groups configuration
option is used, ensure that "port_security_enabled" flag for
provisioning network is set to True. This flag is set to True by
default; make sure not to override it by manually setting it to False.
#. Install and configure a compatible ML2 mechanism driver which supports bare #. Install and configure a compatible ML2 mechanism driver which supports bare
metal provisioning for your switch. See `ML2 plugin configuration manual metal provisioning for your switch. See `ML2 plugin configuration manual
<http://docs.openstack.org/networking-guide/config-ml2.html>`_ <http://docs.openstack.org/networking-guide/config-ml2.html>`_