Bifrost Architecture¶
This document describes what and how Bifrost installs in the default setup
(e.g. one created by ./bifrost-cli install
).
Components¶
Bifrost installs the following main components:
- ironic
Ironic is the main service that provides bare metal capabilities. Its bare metal API is served on TCP port 6385.
- ironic-inspector
Inspector is an auxiliary service that provides in-band inspection. Its introspection API is served on TCP port 5050.
Inspector can be disabled by setting
enable_inspector=false
.- mariadb
MariaDB is used as a database to persistently store information.
- nginx
Nginx is used as a web server for three main purposes:
to serve iPXE configuration scripts when booting nodes over the network,
to serve virtual media ISO images to BMC when booting nodes over virtual CD,
to serve instance images to the ramdisk when deploying nodes.
Uses HTTP port 8080 by default (can be changed via the
file_url_port
parameter).When TLS is enabled, Nginx serves as a TLS proxy for Ironic and Inspector. It listens on ports 6385 and 5050 and passes requests to the services via unix sockets.
- dnsmasq
Dnsmasq is used as a DHCP and TFTP server (but not for DNS by default) when booting nodes over the network. It can also be used to provide DHCP to deployed nodes.
Dnsmasq can be disabled by setting
enable_dhcp=false
or passing--disable-dhcp
tobifrost-cli
.
The following components can be enabled if needed:
- keystone
Keystone is an OpenStack Identity service. It can be used to provide sophisticated authentication to Ironic and Inspector instead of HTTP basic authentication. Its identity API is served using uWSGI and Nginx on the port 5000, the systemd service is called
uwsgi@keystone-public
.See Using Keystone for details.
- ironic-prometheus-exporter
An exporter that exposes hardware metrics from the node’s BMC (using IPMI or Redfish) for consumption by Prometheus.
The exporter can be enabled by setting
enable_prometheus_exporter=true
or passing--enable-prometheus-exporter
tobifrost-cli
.
Networking¶
Bifrost Installation requires to specify the network interface which will be
used for communication with the nodes. On systems that use firewalld, a new
zone bifrost
is created with this interface, and firewall settings are
adjusted to allow boot traffic (DHCP, TFTP, etc) through this interface.
Virtual testing environments use network interface virbr0
, IP subnet
192.168.122.1/24
and the libvirt
firewalld zone by default.
Parameters¶
network_interface
the main network interface for provisioning nodes. It is recommended to use an isolated network for this purpose.
internal_ip
IPv4 address of the Bifrost node on the provisioning interface. Normally derived automatically. You can use the following command to detect it:
$ sudo awk '/^tftp_server =/ { print $3 }' /etc/ironic/ironic.conf 192.168.122.1
This IP address is used for all provisioning traffic: TFTP, iPXE, call-backs to Ironic and Inspector. It is also used for the traffic between the services.
public_ip
IPv4 address of the Bifrost node that is accessible outside of the provisioning environment. Used e.g. to provide public URLs for the service catalog, when Keystone support is enabled.
Note
Bifrost does not currently support IPv6, contributions are welcome.
Locations¶
Note
Many locations are not writable or even readable by the regular user (even
the one that started installation). You need to use sudo
or add the user
to ironic
and nginx
groups.
Installation locations¶
/opt/stack/bifrost
is a Python virtual environment where all Python packages are installed.
/opt/stack/<reponame>
is a source directory for project
<reponame>
(e.g.ironic
) installed from source. Services are installed this way, while libraries are mostly installed as packages.Unlike most other locations, these paths will be owned by the user that installed Bifrost (i.e. your regular user).
Log locations¶
- journald
is used for logging from most services. For example, to get Inspector logs:
$ sudo journalctl -u ironic-inspector
/var/log/ironic/deploy
contains tarballs with ramdisk logs from deployment or cleaning. The file name format is
<node UUID>-<node name>-[cleaning-]<datatime>.tar.gz
. You can access the main logs like this:$ cd $(mktemp -d) $ sudo tar -xzf \ /var/log/ironic/deploy/493aacf2-90ec-5e3d-9ce5-ea496f12e2a5_testvm3_2021-11-08-17-34-18.tar.gz $ less journal # for ramdisks that use systemd, e.g. DIB-built $ less var/log/ironic-python-agent.log # for tinyIPA and similar
/var/log/ironic-inspector/ramdisk
contains tarballs with ramdisk logs from inspection. They are very similar to ramdisk logs from deployment and cleaning.
/var/log/nginx/
contains logs for serving files (iPXE scripts, images, virtual media ISOs).
/var/log/nginx/keystone
contains HTTP logs for Keystone API, complementing the logs from the
uwsgi@keystone-public
systemd unit.
Runtime locations¶
/var/lib/ironic/httpboot
HTTP root directory. Contains iPXE scripts and images, including
deployment_image.qcow2
which is built or downloaded during Bifrost installation.You can detect the root URL with the following command:
$ sudo awk '/^http_url =/ { print $3 }' /etc/ironic/ironic.conf http://192.168.122.1:8080/
/var/lib/tftpboot
TFTP root directory. Normally contains only the binaries to run iPXE on systems that don’t have an iPXE firmware built in. Can contain images when the
pxe
boot interface is used./var/lib/ironic/master_images
cache for instance images.
/var/lib/ironic/master_iso_images
cache for virtual media ISO images.
/var/lib/ironic/certificates
TLS certificates that are used to communicate to the ramdisk on the nodes when cleaning or deploying.
/run/ironic
When TLS is enabled, this directory contains unix sockets of Ironic and Inspector, which Nginx uses to pass requests.