Bifrost is a set of playbooks and scripts that install Ironic as a standalone project for use without other OpenStack components. This presentation describes using Ironic with Bifrost playbooks to deploy baremetal hosts across a VPN tunnel.
2. 2
What is it?
To borrow from the Bifrost documentation:
“Bifrost is a set of Ansible playbooks that automates the
task of deploying a base image onto a set of known
hardware using Ironic.
Ironic Bear with sidekick, Bifrost Bear
Bifrost Bear is smaller but just as angry.
• Bifrost consists of 3-major steps:
• Installation
• Enrollment
• Deployment
• Use cases:
• Bootstrapping an environment
3. 3
Know Your Environment
• Baremetal hosts live in DFW environment
• PXE interface connected to local VLAN 450
• Cisco ASA acts as DHCP relay
• IPSec tunnel established between DFW and ORD
• DHCP server lives in ORD environment (across
VPN)
8 - 2x 10G Bond0
9 - Unused
10 - PXE
4. 4
Know Your Environment (con’t)
• Bifrost host is dual-homed:
• front-side interface (vlan 100) for management
• back-side interface (vlan 450) for PXE/DHCP
clients
• Don’t forget the routes:
• Response traffic to PXE/DHCP clients must be
returned via back-end interface
• IPSec tunnel established between ORD and DFW
• Bifrost needs access to OOB IP (iLo/DRAC/BMC)
8. 8
Installation (Con’t)
Changes:
• Leverage extra dnsmasq configuration and tagging
• /etc/dnsmasq.d/dnsmasq-remote.conf
root@ngpc-bifrost-zed:/etc/dnsmasq.d# cat dnsmasq-remote.conf
log-dhcp
domain-needed
bogus-priv
local=/.lan./
domain=local.lan
dhcp-circuitid=set:dfw,78:72:5d:b9:ea:cf # MAC of local FW PXE_RELAY interface (local to bifrost)
dhcp-circuitid=set:hkg,78:72:5d:b9:ea:cf # MAC of local FW PXE_RELAY interface (local to bifrost)
dhcp-range=dfw,192.168.192.32,192.168.192.63,255.255.255.128,20m # DHCP pool for DFW
dhcp-range=hkg,192.168.193.32,192.168.193.63,255.255.255.128,20m # DHCP Pool for HKG
dhcp-option=dfw,option:router,192.168.192.1 # local GW for DFW nodes
dhcp-option=hkg,option:router,192.168.193.1 # local GW for HKG nodes
dhcp-option=dfw,option:classless-static-route,192.168.192.192/26,192.168.192.1 # get back to bifrost
dhcp-option=hkg,option:classless-static-route,192.168.192.192/26,192.168.193.1 # get back to bifrost
dhcp-option=dfw,option:dns-server,8.8.8.8 # dns
dhcp-option=hkg,option:dns-server,8.8.8.8 # dns
13. 13
Demo (Con’t)
(bifrost) ubuntu@ngpc-bifrost-zed:~/bifrost$ ssh -i ~/.ssh/ngpc_ospc ubuntu@192.168.192.31
The authenticity of host '192.168.192.31 (192.168.192.31)' can't be established.
ED25519 key fingerprint is SHA256:ZjN7+BPmai4q4AIUiRGrS4pzFHTWDkvE5IlQ7Fczadk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.192.31' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-72-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Aug 18 20:35:48 UTC 2023
System load: 0.3720703125 Processes: 393
Usage of /: 0.6% of 523.89GB Users logged in: 0
Memory usage: 0% IPv4 address for eno2: 192.168.192.31
Swap usage: 0% IPv4 address for eno2: 192.168.192.96
Temperature: 46.0 C
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@storage01-ospcv2-dfw:~$
ubuntu@storage01-ospcv2-dfw:~$ ip -br a
lo UNKNOWN 127.0.0.1/8 ::1/128
eno1 DOWN
eno2 UP 192.168.192.31/25 192.168.192.96/25 fe80::f603:43ff:fe57:7679/64
eno3 DOWN
eno4 DOWN
eno49 UP fe80::4adf:37ff:fe25:515c/64
eno50 UP fe80::4adf:37ff:fe25:515d/64
ens5f0 UP fe80::4adf:37ff:fe37:b800/64
ens5f1 UP fe80::4adf:37ff:fe37:b801/64
14. 14
Demo (Con’t)
storage01-ospcv2-dfw.test.com:
addresses:
eno2: [ 192.168.192.31/25 ]
host: [ 172.28.232.161/22 ]
mgmt: [ 172.28.236.161/22 ]
storage: [ 172.28.244.161/22 ]
routes:
eno2:
- to: 192.168.192.192/26
via: 192.168.192.1
host:
- to: default
via: 172.28.232.1
(bifrost) ubuntu@ngpc-bifrost-zed:~/netplanner$ ansible-playbook -i simple_inventory site.yml -e @overrides.yml
PLAY [localhost] ************************************************************************************************
TASK [Generate inventory and host_vars] *************************************************************************
TASK [generator : Create host_vars directory] *******************************************************************
ok: [localhost]
TASK [generator : set_fact] *************************************************************************************
ok: [localhost]
TASK [generator : Generate individual host_vars files] **********************************************************
changed: [localhost] => (item=storage01-ospcv2-dfw.test.com)
PLAY [all] ******************************************************************************************************
TASK [Run the netplan!] *****************************************************************************************
TASK [ansible-netplan : Install netplan] ************************************************************************
ok: [storage01-ospcv2-dfw.test.com]
TASK [ansible-netplan : Removing Existing Configurations] *******************************************************
...
TASK [ansible-netplan : Configuring Netplan] ********************************************************************
changed: [storage01-ospcv2-dfw.test.com]
TASK [ansible-netplan : meta] ***********************************************************************************
RUNNING HANDLER [ansible-netplan : Generating Netplan Configuration] ********************************************
changed: [storage01-ospcv2-dfw.test.com]
RUNNING HANDLER [ansible-netplan : Applying Netplan Configuration] **********************************************
changed: [storage01-ospcv2-dfw.test.com]
TASK [Configure hosts] ******************************************************************************************
TASK [configurator : Add local user and add to 'admin' group] ***************************************************
changed: [storage01-ospcv2-dfw.test.com]
TASK [configurator : Disallow SSH password authentication] ******************************************************
changed: [storage01-ospcv2-dfw.test.com]
RUNNING HANDLER [configurator : restart sshd] *******************************************************************
changed: [storage01-ospcv2-dfw.test.com]
PLAY RECAP ******************************************************************************************************
utility01-ospcv2-dfw.test.com : ok=5 changed=0 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0
localhost : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ubuntu@storage01-ospcv2-dfw:~$ ip r
default via 172.28.232.1 dev br-host proto static
172.28.232.0/22 dev br-host proto kernel scope link src 172.28.232.161
172.28.236.0/22 dev br-mgmt proto kernel scope link src 172.28.236.161
172.28.244.0/22 dev br-storage proto kernel scope link src 172.28.244.161
192.168.192.0/25 dev eno2 proto kernel scope link src 192.168.192.31
192.168.192.192/26 via 192.168.192.1 dev eno2 proto static
ubuntu@storage01-ospcv2-dfw:~$ ping 8.8.8.8 -c5
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=1.19 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=1.20 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=1.23 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=1.14 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=118 time=1.19 ms