Configuration ============= This guide covers manual configuration of the Bare Metal service in the standalone mode. Alternatively, Bifrost_ can be used for automatic configuration. .. _Bifrost: https://docs.openstack.org/bifrost/latest/ Service settings ---------------- It is possible to use the Bare Metal service without other OpenStack services. You should make the following changes to ``/etc/ironic/ironic.conf``: #. Choose an authentication strategy which supports standalone, one option is ``noauth``: .. code-block:: ini [DEFAULT] auth_strategy=noauth Another option is ``http_basic`` where the credentials are stored in an `Apache htpasswd format`_ file: .. code-block:: ini [DEFAULT] auth_strategy=http_basic http_basic_auth_user_file=/etc/ironic/htpasswd Only the ``bcrypt`` format is supported, and the Apache ``htpasswd`` utility can be used to populate the file with entries, for example: .. code-block:: shell htpasswd -nbB myName myPassword >> /etc/ironic/htpasswd #. If you want to disable the Networking service, you should have your network pre-configured to serve DHCP and TFTP for machines that you're deploying. To disable it, change the following lines: .. code-block:: ini [dhcp] dhcp_provider=none .. note:: If you disabled the Networking service and the driver that you use is supported by at most one conductor, PXE boot will still work for your nodes without any manual config editing. This is because you know all the DHCP options that will be used for deployment and can set up your DHCP server appropriately. If you have multiple conductors per driver, it would be better to use Networking since it will do all the dynamically changing configurations for you. #. If you want to disable using a messaging broker between conductor and API processes, switch to JSON RPC instead: .. code-block:: ini [DEFAULT] rpc_transport = json-rpc JSON RPC also has its own authentication strategy. If it is not specified then the strategy defaults to ``[DEFAULT]`` ``auth_strategy``. The following will set JSON RPC to ``noauth``: .. code-block:: ini [json_rpc] auth_strategy = noauth For ``http_basic`` the conductor server needs a credentials file to validate requests: .. code-block:: ini [json_rpc] auth_strategy = http_basic http_basic_auth_user_file = /etc/ironic/htpasswd-json-rpc The API server also needs client-side credentials to be specified: .. code-block:: ini [json_rpc] auth_type = http_basic username = myName password = myPassword #. Starting with the Yoga release series, you can use a combined API+conductor service and completely disable the RPC. Set .. code-block:: ini [DEFAULT] rpc_transport = none and use the ``ironic`` executable to start the combined service. .. note:: The combined service also works with RPC enabled, which can be useful for some deployments, but may not be advisable for all security models. Using CLI --------- To use the :python-ironicclient-doc:`baremetal CLI `, set up these environment variables. If the ``noauth`` authentication strategy is being used, the value ``none`` must be set for OS_AUTH_TYPE. OS_ENDPOINT is the URL of the ironic-api process. For example: .. code-block:: shell export OS_AUTH_TYPE=none export OS_ENDPOINT=http://localhost:6385/ If the ``http_basic`` authentication strategy is being used, the value ``http_basic`` must be set for OS_AUTH_TYPE. For example: .. code-block:: shell export OS_AUTH_TYPE=http_basic export OS_ENDPOINT=http://localhost:6385/ export OS_USERNAME=myUser export OS_PASSWORD=myPassword .. _`Apache htpasswd format`: https://httpd.apache.org/docs/current/misc/password_encryptions.html