openstack/bifrost
Code Issues Proposed changes

Merge "Make ironic and inspector listen on Unix sockets"

Browse Source
This commit is contained in:
Zuul 2022-03-11 15:46:58 +00:00 committed by Gerrit Code Review
commit 9e99f44480
6 changed files with 33 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/source/user/architecture.rst
View File

@ -33,6 +33,10 @@ nginx_
Uses HTTP port 8080 by default (can be changed via the ``file_url_port``
parameter).
When TLS is enabled, Nginx serves as a TLS proxy for Ironic and Inspector.
It listens on ports 6385 and 5050 and passes requests to the services
via unix sockets.
dnsmasq_
Dnsmasq is used as a DHCP and TFTP server (but not for DNS by default)
when booting nodes over the network. It can also be used to provide DHCP
@ -183,6 +187,10 @@ Runtime locations
TLS certificates that are used to communicate to the ramdisk on the nodes
when cleaning or deploying.
``/run/ironic``
When TLS is enabled, this directory contains unix sockets of Ironic and
Inspector, which Nginx uses to pass requests.
.. _ironic: https://docs.openstack.org/ironic/latest/
.. _bare metal API: https://docs.openstack.org/api-ref/baremetal/
.. _ironic-inspector: https://docs.openstack.org/ironic-inspector/latest/

10
playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
View File

@ -225,6 +225,14 @@
- "{{ ironic_agent_deploy_logs_local_path | default('') }}"
when: item | length > 0
- name: "Ensure /run/ironic exists"
file:
name: "/run/ironic"
state: directory
owner: "ironic"
group: "{{ nginx_user }}"
mode: 0750
- name: "Create ironic DB Schema"
command: ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
environment: "{{ bifrost_venv_env }}"
@ -478,7 +486,7 @@
- block:
- name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
seport:
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,6388,5050,9999,15050"
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
proto: tcp
setype: http_port_t
state: present

5
playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2
View File

@ -20,7 +20,10 @@ transport_url = fake://
{% if enable_tls | bool %}
# TLS is handled by nginx is proxy mode
listen_address = 127.0.0.1
listen_port = 15050
listen_unix_socket = /run/ironic/ironic-inspector.socket
# Nginx should be able to write to the socket, access will be further limited
# by the containing directory.
listen_unix_socket_mode = 0660
{% endif %}
[database]

5
playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
View File

@ -54,8 +54,11 @@ grub_config_path = EFI/{{ efi_distro }}/grub.cfg
[api]
# TLS is handled by nginx is proxy mode
host_ip = 127.0.0.1
port = 6388
public_endpoint = {{ api_protocol }}://{{ internal_ip }}:6385
unix_socket = /run/ironic/ironic.socket
# Nginx should be able to write to the socket, access will be further limited
# by the containing directory.
unix_socket_mode = 0660
{% if expose_json_rpc | bool %}
[ssl]

4
playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2
View File

@ -6,7 +6,7 @@ server {
ssl_certificate_key {{ ironic_private_key_path }};
location / {
proxy_pass http://127.0.0.1:6388;
proxy_pass http://unix:/run/ironic/ironic.socket:;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
@ -24,7 +24,7 @@ server {
ssl_certificate_key {{ ironic_inspector_private_key_path }};
location / {
proxy_pass http://127.0.0.1:15050;
proxy_pass http://unix:/run/ironic/ironic-inspector.socket:;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

6
releasenotes/notes/unix-socket-bac1a9e01b1cf7e6.yaml Normal file
View File

@ -0,0 +1,6 @@
---
upgrade:
- |
When TLS is enabled, Ironic and Inspector now serve their API via unix
sockets in the ``/run/ironic`` directory instead of private TCP ports on
localhost. The public API is served by Nginx.