Merge "Make ironic and inspector listen on Unix sockets"
This commit is contained in:
commit
9e99f44480
@ -33,6 +33,10 @@ nginx_
|
||||
Uses HTTP port 8080 by default (can be changed via the ``file_url_port``
|
||||
parameter).
|
||||
|
||||
When TLS is enabled, Nginx serves as a TLS proxy for Ironic and Inspector.
|
||||
It listens on ports 6385 and 5050 and passes requests to the services
|
||||
via unix sockets.
|
||||
|
||||
dnsmasq_
|
||||
Dnsmasq is used as a DHCP and TFTP server (but not for DNS by default)
|
||||
when booting nodes over the network. It can also be used to provide DHCP
|
||||
@ -183,6 +187,10 @@ Runtime locations
|
||||
TLS certificates that are used to communicate to the ramdisk on the nodes
|
||||
when cleaning or deploying.
|
||||
|
||||
``/run/ironic``
|
||||
When TLS is enabled, this directory contains unix sockets of Ironic and
|
||||
Inspector, which Nginx uses to pass requests.
|
||||
|
||||
.. _ironic: https://docs.openstack.org/ironic/latest/
|
||||
.. _bare metal API: https://docs.openstack.org/api-ref/baremetal/
|
||||
.. _ironic-inspector: https://docs.openstack.org/ironic-inspector/latest/
|
||||
|
@ -225,6 +225,14 @@
|
||||
- "{{ ironic_agent_deploy_logs_local_path | default('') }}"
|
||||
when: item | length > 0
|
||||
|
||||
- name: "Ensure /run/ironic exists"
|
||||
file:
|
||||
name: "/run/ironic"
|
||||
state: directory
|
||||
owner: "ironic"
|
||||
group: "{{ nginx_user }}"
|
||||
mode: 0750
|
||||
|
||||
- name: "Create ironic DB Schema"
|
||||
command: ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
|
||||
environment: "{{ bifrost_venv_env }}"
|
||||
@ -478,7 +486,7 @@
|
||||
- block:
|
||||
- name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
|
||||
seport:
|
||||
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,6388,5050,9999,15050"
|
||||
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
|
||||
proto: tcp
|
||||
setype: http_port_t
|
||||
state: present
|
||||
|
@ -20,7 +20,10 @@ transport_url = fake://
|
||||
{% if enable_tls | bool %}
|
||||
# TLS is handled by nginx is proxy mode
|
||||
listen_address = 127.0.0.1
|
||||
listen_port = 15050
|
||||
listen_unix_socket = /run/ironic/ironic-inspector.socket
|
||||
# Nginx should be able to write to the socket, access will be further limited
|
||||
# by the containing directory.
|
||||
listen_unix_socket_mode = 0660
|
||||
{% endif %}
|
||||
|
||||
[database]
|
||||
|
@ -54,8 +54,11 @@ grub_config_path = EFI/{{ efi_distro }}/grub.cfg
|
||||
[api]
|
||||
# TLS is handled by nginx is proxy mode
|
||||
host_ip = 127.0.0.1
|
||||
port = 6388
|
||||
public_endpoint = {{ api_protocol }}://{{ internal_ip }}:6385
|
||||
unix_socket = /run/ironic/ironic.socket
|
||||
# Nginx should be able to write to the socket, access will be further limited
|
||||
# by the containing directory.
|
||||
unix_socket_mode = 0660
|
||||
|
||||
{% if expose_json_rpc | bool %}
|
||||
[ssl]
|
||||
|
@ -6,7 +6,7 @@ server {
|
||||
ssl_certificate_key {{ ironic_private_key_path }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:6388;
|
||||
proxy_pass http://unix:/run/ironic/ironic.socket:;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
@ -24,7 +24,7 @@ server {
|
||||
ssl_certificate_key {{ ironic_inspector_private_key_path }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:15050;
|
||||
proxy_pass http://unix:/run/ironic/ironic-inspector.socket:;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
6
releasenotes/notes/unix-socket-bac1a9e01b1cf7e6.yaml
Normal file
6
releasenotes/notes/unix-socket-bac1a9e01b1cf7e6.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
When TLS is enabled, Ironic and Inspector now serve their API via unix
|
||||
sockets in the ``/run/ironic`` directory instead of private TCP ports on
|
||||
localhost. The public API is served by Nginx.
|
Loading…
x
Reference in New Issue
Block a user