Chapter 2. Requirements for bare metal provisioning
To provide an overcloud where cloud users can launch bare metal instances, your Red Hat OpenStack Platform (RHOSP) environment must have the required hardware and network configuration.
2.1. Hardware requirements
The hardware requirements for the bare metal machines that you want to make available to your cloud users for provisioning depend on the operating system. For information about the hardware requirements for Red Hat Enterprise Linux installations, see Product Documentation for Red Hat Enterprise Linux.
All bare metal machines that you want to make available to your cloud users for provisioning must have the following capabilities:
- A NIC to connect to the bare metal network.
-
A power management interface, for example, Redfish or IPMI, that is connected to a network that is reachable from the
ironic-conductorservice. By default,ironic-conductorruns on all of the Controller nodes, unless you use composable roles and runironic-conductorelsewhere. - PXE boot on the bare metal network. Disable PXE boot on all other NICs in the deployment.
2.2. Networking requirements
The bare metal network must be a private network for the Bare Metal Provisioning service to use for the following operations:
- The provisioning and management of bare metal machines on the overcloud.
- Cleaning bare metal nodes when a node is unprovisioned.
- Tenant access to the bare metal machines.
The bare metal network provides DHCP and PXE boot functions to discover bare metal systems. This network must use a native VLAN on a trunked interface so that the Bare Metal Provisioning service can serve PXE boot and DHCP requests.
The Bare Metal Provisioning service in the overcloud is designed for a trusted tenant environment because the bare metal machines have direct access to the control plane network of your Red Hat OpenStack Platform (RHOSP) environment. Therefore, the default bare metal network uses a flat network for ironic-conductor services.
The default flat provisioning network can introduce security concerns in a customer environment because a tenant can interfere with the control plane network. To prevent this risk, you can configure a custom composable bare metal provisioning network for the Bare Metal Provisioning service that does not have access to the control plane.
The bare metal network must be untagged for provisioning, and must also have access to the Bare Metal Provisioning API. The control plane network, also known as the director provisioning network, is always untagged. Other networks can be tagged.
The Controller nodes that host the Bare Metal Provisioning service must have access to the bare metal network.
The NIC that the bare metal machine is configured to PXE-boot from must have access to the bare metal network.
The bare metal network is created by the OpenStack operator. Cloud users have direct access to the public OpenStack APIs, and to the bare metal network. With the default flat bare metal network, cloud users also have indirect access to the control plane.
The Bare Metal Provisioning service uses the bare metal network for node cleaning.
2.2.1. The default bare metal network
In the default Bare Metal Provisioning service deployment architecture, the bare metal network is separate from the control plane network. The bare metal network is a flat network that also acts as the tenant network. This network must route to the Bare Metal Provisioning services on the control plane, known as the director provisioning network. If you define an isolated bare metal network, the bare metal nodes cannot PXE boot.
Default bare metal network architecture diagram
2.2.2. The custom composable bare metal network
When you use a custom composable bare metal network in your Bare Metal Provisioning service deployment architecture, the bare metal network is a custom composable network that does not have access to the control plane. Use a custom composable bare metal network if you want to limit access to the control plane.
