iLO drivers enable to take advantage of features of iLO management engine in HPE ProLiant servers. iLO drivers are targeted for HPE ProLiant Gen 8 systems and above which have iLO 4 management engine.
For more details, please refer the iLO driver document of Juno, Kilo and Liberty releases, and for up-to-date information (like tested platforms, known issues, etc), please check the iLO driver wiki page.
Currently there are 3 iLO drivers:
The iscsi_ilo and agent_ilo drivers provide security enhanced PXE-less deployment by using iLO virtual media to boot up the bare metal node. These drivers send management info through management channel and separates it from data channel which is used for deployment.
iscsi_ilo and agent_ilo drivers use deployment ramdisk built from diskimage-builder. The iscsi_ilo driver deploys from ironic conductor and supports both net-boot and local-boot of instance. agent_ilo deploys from bare metal node and supports both net-boot and local-boot of instance.
pxe_ilo driver uses PXE/iSCSI for deployment (just like normal PXE driver) and deploys from ironic conductor. Additionally it supports automatic setting of requested boot mode from nova. This driver doesn’t require iLO Advanced license.
proliantutils is a python package which contains set of modules for managing HPE ProLiant hardware.
Install proliantutils module on the ironic conductor node. Minimum version required is 2.1.7.:
$ pip install "proliantutils>=2.1.7"
ipmitool command must be present on the service node(s) where ironic-conductor is running. On most distros, this is provided as part of the ipmitool package. Refer to Hardware Inspection Support for more information on recommended version.
Configure Glance image service with its storage backend as Swift.
Set a temp-url key for Glance user in Swift. For example, if you have configured Glance with user glance-swift and tenant as service, then run the below command:
swift --os-username=service:glance-swift post -m temp-url-key:mysecretkeyforglance
Fill the required parameters in the [glance] section in /etc/ironic/ironic.conf. Normally you would be required to fill in the following details.:
[glance]
swift_temp_url_key=mysecretkeyforglance
swift_endpoint_url=https://10.10.1.10:8080
swift_api_version=v1
swift_account=AUTH_51ea2fb400c34c9eb005ca945c0dc9e1
swift_container=glance
The details can be retrieved by running the below command:
$ swift --os-username=service:glance-swift stat -v | grep -i url StorageURL: http://10.10.1.10:8080/v1/AUTH_51ea2fb400c34c9eb005ca945c0dc9e1 Meta Temp-Url-Key: mysecretkeyforglance
Swift must be accessible with the same admin credentials configured in Ironic. For example, if Ironic is configured with the below credentials in /etc/ironic/ironic.conf.:
[keystone_authtoken]
admin_password = password
admin_user = ironic
admin_tenant_name = service
Ensure auth_version in keystone_authtoken to 2.
Then, the below command should work.:
$ swift --os-username ironic --os-password password --os-tenant-name service --auth-version 2 stat
Account: AUTH_22af34365a104e4689c46400297f00cb
Containers: 2
Objects: 18
Bytes: 1728346241
Objects in policy "policy-0": 18
Bytes in policy "policy-0": 1728346241
Meta Temp-Url-Key: mysecretkeyforglance
X-Timestamp: 1409763763.84427
X-Trans-Id: tx51de96a28f27401eb2833-005433924b
Content-Type: text/plain; charset=utf-8
Accept-Ranges: bytes
Restart the Ironic conductor service.:
$ service ironic-conductor restart
The HTTP(S) web server can be configured in many ways. For apache web server on Ubuntu, refer here
Following config variables need to be set in /etc/ironic/ironic.conf:
use_web_server_for_images in [ilo] section:
[ilo]
use_web_server_for_images = True
http_url and http_root in [deploy] section:
[deploy]
# Ironic compute node's http root path. (string value)
http_root=/httpboot
# Ironic compute node's HTTP server URL. Example:
# http://192.1.2.3:8080 (string value)
http_url=http://192.168.0.2:8080
use_web_server_for_images: If the variable is set to false, iscsi_ilo and agent_ilo uses swift containers to host the intermediate floppy image and the boot ISO. If the variable is set to true, these drivers uses the local web server for hosting the intermediate files. The default value for use_web_server_for_images is False.
http_url: The value for this variable is prefixed with the generated intermediate files to generate a URL which is attached in the virtual media.
http_root: It is the directory location to which ironic conductor copies the intermediate floppy image and the boot ISO.
Note
HTTPS is strongly recommended over HTTP web server configuration for security enhancement. The iscsi_ilo and agent_ilo will send the instance’s configdrive over an encrypted channel if web server is HTTPS enabled.
Build a deploy ISO (and kernel and ramdisk) image, see disk-image-builder
See Glance Configuration for configuring glance image service with its storage backend as swift.
Upload this image to Glance.:
glance image-create --name deploy-ramdisk.iso --disk-format iso --container-format bare < deploy-ramdisk.iso
Add the driver name to the list of enabled_drivers in /etc/ironic/ironic.conf. For example, for iscsi_ilo driver:
enabled_drivers = fake,pxe_ssh,pxe_ipmitool,iscsi_ilo
Similarly it can be added for agent_ilo and pxe_ilo drivers.
Restart the ironic conductor service.:
$ service ironic-conductor restart
iscsi_ilo driver was introduced as an alternative to pxe_ipmitool and pxe_ipminative drivers for HPE ProLiant servers. iscsi_ilo uses virtual media feature in iLO to boot up the bare metal node instead of using PXE or iPXE.
Users who do not want to use PXE/TFTP protocol on their data centres.
Users who have concerns with PXE protocol’s security issues and want to have a security enhanced PXE-less deployment mechanism.
The PXE driver passes management information in clear-text to the bare metal node. However, if swift proxy server has an HTTPS endpoint (See Enabling HTTPS in Swift for more information), the iscsi_ilo driver provides enhanced security by passing management information to and from swift endpoint over HTTPS. The management information, deploy ramdisk and boot images for the instance will be retrieved over encrypted management network via iLO virtual media.
This driver should work on HPE ProLiant Gen8 Servers and above with iLO 4. It has been tested with the following servers:
For more up-to-date information on server platform support info, refer iLO driver wiki page.
Refer to Netboot with glance and swift and Localboot with glance and swift for partition images for the deploy process of partition image and Localboot with glance and swift for the deploy process of whole disk image.
Refer to Glance Configuration and Enable driver.
Nodes configured for iLO driver should have the driver property set to iscsi_ilo. The following configuration values are also required in driver_info:
For example, you could run a similar command like below to enroll the ProLiant node:
ironic node-create -d iscsi_ilo -i ilo_address=<ilo-ip-address> -i ilo_username=<ilo-username> -i ilo_password=<ilo-password> -i ilo_deploy_iso=<glance-uuid-of-deploy-iso>
Refer to Boot mode support section for more information.
Refer to UEFI Secure Boot Support section for more information.
Refer to Node Cleaning Support for more information.
Refer to Hardware Inspection Support for more information.
Refer to Swiftless deploy for intermediate images for more information.
Refer to HTTP(S) Based Deploy Support for more information.
Refer to Support for iLO drivers with Standalone Ironic for more information.
Refer to RAID Support for more information.
agent_ilo driver was introduced as an alternative to agent_ipmitool and agent_ipminative drivers for HPE ProLiant servers. agent_ilo driver uses virtual media feature in HPE ProLiant bare metal servers to boot up the Ironic Python Agent (IPA) on the bare metal node instead of using PXE. For more information on IPA, refer https://wiki.openstack.org/wiki/Ironic-python-agent.
Users who do not want to use PXE/TFTP protocol on their data centres.
Users who have concerns on PXE based agent driver’s security and want to have a security enhanced PXE-less deployment mechanism.
The PXE based agent drivers pass management information in clear-text to the bare metal node. However, if swift proxy server has an HTTPS endpoint (See Enabling HTTPS in Swift for more information), the agent_ilo driver provides enhanced security by passing authtoken and management information to and from swift endpoint over HTTPS. The management information and deploy ramdisk will be retrieved over encrypted management network via iLO.
This driver should work on HPE ProLiant Gen8 Servers and above with iLO 4. It has been tested with the following servers:
For more up-to-date information, check the iLO driver wiki page.
Refer to Netboot with glance and swift and Localboot with glance and swift for partition images for the deploy process of partition image and Localboot with glance and swift for the deploy process of whole disk image.
Refer to Glance Configuration and Enable driver.
Nodes configured for iLO driver should have the driver property set to agent_ilo. The following configuration values are also required in driver_info:
For example, you could run a similar command like below to enroll the ProLiant node:
ironic node-create -d agent_ilo -i ilo_address=<ilo-ip-address> -i ilo_username=<ilo-username> -i ilo_password=<ilo-password> -i ilo_deploy_iso=<glance-uuid-of-deploy-iso>
Refer to Boot mode support section for more information.
Refer to UEFI Secure Boot Support section for more information.
Refer to Node Cleaning Support for more information.
Refer to Hardware Inspection Support for more information.
Refer to Swiftless deploy for intermediate images for more information.
Refer to HTTP(S) Based Deploy Support for more information.
Refer to Support for iLO drivers with Standalone Ironic for more information.
Refer to RAID Support for more information.
pxe_ilo driver uses PXE/iSCSI (just like pxe_ipmitool driver) to deploy the image and uses iLO to do power and management operations on the bare metal node(instead of using IPMI).
This driver should work on HPE ProLiant Gen8 Servers and above with iLO 4. It has been tested with the following servers:
For more up-to-date information, check the iLO driver wiki page.
None.
Build a deploy image, see disk-image-builder
Upload this image to glance.:
glance image-create --name deploy-ramdisk.kernel --disk-format aki --container-format aki < deploy-ramdisk.kernel
glance image-create --name deploy-ramdisk.initramfs --disk-format ari --container-format ari < deploy-ramdisk.initramfs
Add pxe_ilo to the list of enabled_drivers in /etc/ironic/ironic.conf. For example::
enabled_drivers = fake,pxe_ssh,pxe_ipmitool,pxe_ilo
Restart the ironic conductor service.:
service ironic-conductor restart
Nodes configured for iLO driver should have the driver property set to pxe_ilo. The following configuration values are also required in driver_info:
For example, you could run a similar command like below to enroll the ProLiant node:
ironic node-create -d pxe_ilo -i ilo_address=<ilo-ip-address> -i ilo_username=<ilo-username> -i ilo_password=<ilo-password> -i deploy_kernel=<glance-uuid-of-pxe-deploy-kernel> -i deploy_ramdisk=<glance-uuid-of-deploy-ramdisk>
Refer to Boot mode support section for more information.
Refer to UEFI Secure Boot Support section for more information.
Refer to Node Cleaning Support for more information.
Refer to Hardware Inspection Support for more information.
Refer to HTTP(S) Based Deploy Support for more information.
Refer to Support for iLO drivers with Standalone Ironic for more information.
Refer to RAID Support for more information.
The following drivers support automatic detection and setting of boot mode (Legacy BIOS or UEFI).
pxe_ilo
iscsi_ilo
agent_ilo
When boot mode capability is not configured:
When boot mode capability is configured, the driver sets the pending boot mode to the configured value.
Only one boot mode (either uefi or bios) can be configured for the node.
If the operator wants a node to boot always in uefi mode or bios mode, then they may use capabilities parameter within properties field of an ironic node.
To configure a node in uefi mode, then set capabilities as below:
ironic node-update <node-uuid> add properties/capabilities='boot_mode:uefi'
Nodes having boot_mode set to uefi may be requested by adding an extra_spec to the nova flavor:
nova flavor-key ironic-test-3 set capabilities:boot_mode="uefi"
nova boot --flavor ironic-test-3 --image test-image instance-1
If capabilities is used in extra_spec as above, nova scheduler (ComputeCapabilitiesFilter) will match only ironic nodes which have the boot_mode set appropriately in properties/capabilities. It will filter out rest of the nodes.
The above facility for matching in nova can be used in heterogeneous environments where there is a mix of uefi and bios machines, and operator wants to provide a choice to the user regarding boot modes. If the flavor doesn’t contain boot_mode then nova scheduler will not consider boot mode as a placement criteria, hence user may get either a BIOS or UEFI machine that matches with user specified flavors.
The automatic boot ISO creation for UEFI boot mode has been enabled in Kilo. The manual creation of boot ISO for UEFI boot mode is also supported. For the latter, the boot ISO for the deploy image needs to be built separately and the deploy image’s boot_iso property in glance should contain the glance UUID of the boot ISO. For building boot ISO, add iso element to the diskimage-builder command to build the image. For example:
disk-image-create ubuntu baremetal iso
The following drivers support UEFI secure boot deploy:
The UEFI secure boot can be configured in ironic by adding secure_boot parameter in the capabilities parameter within properties field of an ironic node.
secure_boot is a boolean parameter and takes value as true or false.
To enable secure_boot on a node add it to capabilities as below:
ironic node-update <node-uuid> add properties/capabilities='secure_boot:true'
Alternatively see Hardware Inspection Support to know how to automatically populate the secure boot capability.
Nodes having secure_boot set to true may be requested by adding an extra_spec to the nova flavor:
nova flavor-key ironic-test-3 set capabilities:secure_boot="true"
nova boot --flavor ironic-test-3 --image test-image instance-1
If capabilities is used in extra_spec as above, nova scheduler (ComputeCapabilitiesFilter) will match only ironic nodes which have the secure_boot set appropriately in properties/capabilities. It will filter out rest of the nodes.
The above facility for matching in nova can be used in heterogeneous environments where there is a mix of machines supporting and not supporting UEFI secure boot, and operator wants to provide a choice to the user regarding secure boot. If the flavor doesn’t contain secure_boot then nova scheduler will not consider secure boot mode as a placement criteria, hence user may get a secure boot capable machine that matches with user specified flavors but deployment would not use its secure boot capability. Secure boot deploy would happen only when it is explicitly specified through flavor.
Use element ubuntu-signed or fedora to build signed deploy iso and user images from diskimage-builder. Refer disk-image-builder for more information on building deploy ramdisk.
The below command creates files named cloud-image-boot.iso, cloud-image.initrd, cloud-image.vmlinuz and cloud-image.qcow2 in the current working directory.:
cd <path-to-diskimage-builder>
./bin/disk-image-create -o cloud-image ubuntu-signed baremetal iso
Note
In UEFI secure boot, digitally signed bootloader should be able to validate digital signatures of kernel during boot process. This requires that the bootloader contains the digital signatures of the kernel. For iscsi_ilo driver, it is recommended that boot_iso property for user image contains the glance UUID of the boot ISO. If boot_iso property is not updated in glance for the user image, it would create the boot_iso using bootloader from the deploy iso. This boot_iso will be able to boot the user image in UEFI secure boot environment only if the bootloader is signed and can validate digital signatures of user image kernel.
Ensure the public key of the signed image is loaded into bare metal to deploy signed images. For HPE ProLiant Gen9 servers, one can enroll public key using iLO System Utilities UI. Please refer to section Accessing Secure Boot options in HP UEFI System Utilities User Guide. One can also refer to white paper on Secure Boot for Linux on HP ProLiant servers for additional details.
For more up-to-date information, refer iLO driver wiki page
The following iLO drivers support node cleaning -
For more information on node cleaning, see Node cleaning
The automated cleaning operations supported are:
Resets system ROM settings to default. By default, enabled with priority 10. This clean step is supported only on Gen9 and above servers.
Resets secure boot keys to manufacturer’s defaults. This step is supported only on Gen9 and above servers. By default, enabled with priority 20 .
Resets the iLO password, if ilo_change_password is specified as part of node’s driver_info. By default, enabled with priority 30.
Clears all secure boot keys. This step is supported only on Gen9 and above servers. By default, this step is disabled.
Resets the iLO. By default, this step is disabled.
For in-band cleaning operations supported by agent_ilo driver, see In-band vs out-of-band.
All the automated cleaning steps have an explicit configuration option for priority. In order to disable or change the priority of the automated clean steps, respective configuration option for priority should be updated in ironic.conf.
Updating clean step priority to 0, will disable that particular clean step and will not run during automated cleaning.
Configuration Options for the automated clean steps are listed under [ilo] section in ironic.conf
- clean_priority_reset_ilo=0
- clean_priority_reset_bios_to_default=10
- clean_priority_reset_secure_boot_keys_to_default=20
- clean_priority_clear_secure_boot_keys=0
- clean_priority_reset_ilo_credential=30
- clean_priority_erase_devices=10
For more information on node automated cleaning, see Automated cleaning
The manual cleaning operations supported are:
Activates the iLO Advanced license. This is an out-of-band manual cleaning step associated with the management interface. See Activating iLO Advanced license as manual clean step for user guidance on usage. Please note that this operation cannot be performed using virtual media based drivers like iscsi_ilo and agent_ilo as they need this type of advanced license already active to use virtual media to boot into to start cleaning operation. Virtual media is an advanced feature. If an advanced license is already active and the user wants to overwrite the current license key, for example in case of a multi-server activation key delivered with a flexible-quantity kit or after completing an Activation Key Agreement (AKA), then these drivers can still be used for executing this cleaning step.
Updates the firmware of the devices. Also an out-of-band step associated with the management interface. See Initiating firmware update as manual clean step for user guidance on usage. The supported devices for firmware update are: ilo, cpld, power_pic, bios and chassis. Refer to below table for their commonly used descriptions.
Device | Description |
---|---|
ilo | BMC for HPE ProLiant servers |
cpld | System programmable logic device |
power_pic | Power management controller |
bios | HPE ProLiant System ROM |
chassis | System chassis device |
Some devices firmware cannot be updated via this method, such as: storage controllers, host bus adapters, disk drive firmware, network interfaces and OA.
iLO with firmware version 1.5 is minimally required to support all the operations.
For more information on node manual cleaning, see Manual cleaning
The following iLO drivers support hardware inspection:
Note
The inspection process will discover the following essential properties (properties required for scheduling deployment):
Inspection can also discover the following extra capabilities for iLO drivers:
ilo_firmware_version: iLO firmware version
rom_firmware_version: ROM firmware version
secure_boot: secure boot is supported or not. The possible values are ‘true’ or ‘false’. The value is returned as ‘true’ if secure boot is supported by the server.
server_model: server model
pci_gpu_devices: number of gpu devices connected to the bare metal.
nic_capacity: the max speed of the embedded NIC adapter.
Note
The operator can specify these capabilities in nova flavor for node to be selected for scheduling:
nova flavor-key my-baremetal-flavor set capabilities:server_model="<in> Gen8"
nova flavor-key my-baremetal-flavor set capabilities:pci_gpu_devices="> 0"
nova flavor-key my-baremetal-flavor set capabilities:nic_capacity="10Gb"
nova flavor-key my-baremetal-flavor set capabilities:ilo_firmware_version="<in> 2.10"
nova flavor-key my-baremetal-flavor set capabilities:secure_boot="true"
The iscsi_ilo and agent_ilo drivers can deploy and boot the server with and without swift being used for hosting the intermediate temporary floppy image (holding metadata for deploy kernel and ramdisk) and the boot ISO (which is required for iscsi_ilo only). A local HTTP(S) web server on each conductor node needs to be configured. Refer Web server configuration on conductor for more information. The HTTPS web server needs to be enabled (instead of HTTP web server) in order to send management information and images in encrypted channel over HTTPS.
Note
This feature assumes that the user inputs are on Glance which uses swift as backend. If swift dependency has to be eliminated, please refer to HTTP(S) Based Deploy Support also.
Refer to Netboot in swiftless deploy for intermediate images for partition image support and refer to Localboot in swiftless deploy for intermediate images for whole disk image support.
The user input for the images given in driver_info like ilo_deploy_iso, deploy_kernel and deploy_ramdisk and in instance_info like image_source, kernel, ramdisk and ilo_boot_iso may also be given as HTTP(S) URLs.
The HTTP(S) web server can be configured in many ways. For the Apache web server on Ubuntu, refer here. The web server may reside on a different system than the conductor nodes, but its URL must be reachable by the conductor and the bare metal nodes.
Refer to Netboot with HTTP(S) based deploy for partition image boot and refer to Localboot with HTTP(S) based deploy for whole disk image boot.
It is possible to use ironic as standalone services without other OpenStack services. iLO drivers can be used in standalone ironic. This feature is referred to as iLO drivers with standalone ironic in this document and is supported by following drivers:
The HTTP(S) web server needs to be configured as described in HTTP(S) Based Deploy Support and Web server configuration on conductor needs to be configured for hosting intermediate images on conductor as described in Swiftless deploy for intermediate images.
iscsi_ilo and agent_ilo supports both netboot and localboot. Refer to Netboot in standalone ironic and Localboot in standalone ironic for details of deploy process for netboot and localboot respectively. For pxe_ilo, the deploy process is same as native pxe_ipmitool driver.
iLO drivers can activate the iLO Advanced license key as a manual cleaning step. Any manual cleaning step can only be initiated when a node is in the manageable state. Once the manual cleaning is finished, the node will be put in the manageable state again. User can follow steps from Manual cleaning to initiate manual cleaning operation on a node.
An example of a manual clean step with activate_license as the only clean step could be:
'clean_steps': [{
'interface': 'management',
'step': 'activate_license',
'args': {
'ilo_license_key': 'ABC12-XXXXX-XXXXX-XXXXX-YZ345'
}
}]
The different attributes of activate_license clean step are as follows:
Attribute Description interface Interface of clean step, here management step Name of clean step, here activate_license args Keyword-argument entry (<name>: <value>) being passed to clean step args.ilo_license_key iLO Advanced license key to activate enterprise features. This is mandatory.
iLO drivers can invoke secure firmware update as a manual cleaning step. Any manual cleaning step can only be initiated when a node is in the manageable state. Once the manual cleaning is finished, the node will be put in the manageable state again. A user can follow steps from Manual cleaning to initiate manual cleaning operation on a node.
An example of a manual clean step with update_firmware as the only clean step could be:
'clean_steps': [{
'interface': 'management',
'step': 'update_firmware',
'args': {
'firmware_update_mode': 'ilo',
'firmware_images':[
{
'url': 'file:///firmware_images/ilo/1.5/CP024444.scexe',
'checksum': 'a94e683ea16d9ae44768f0a65942234d',
'component': 'ilo'
},
{
'url': 'swift://firmware_container/cpld2.3.rpm',
'checksum': '<md5-checksum-of-this-file>',
'component': 'cpld'
},
{
'url': 'http://my_address:port/firmwares/bios_vLatest.scexe',
'checksum': '<md5-checksum-of-this-file>',
'component': 'bios'
},
{
'url': 'https://my_secure_address_url/firmwares/chassis_vLatest.scexe',
'checksum': '<md5-checksum-of-this-file>',
'component': 'chassis'
},
{
'url': 'file:///home/ubuntu/firmware_images/power_pic/pmc_v3.0.bin',
'checksum': '<md5-checksum-of-this-file>',
'component': 'power_pic'
}
]
}
}]
The different attributes of update_firmware clean step are as follows:
Attribute Description interface Interface of clean step, here management step Name of clean step, here update_firmware args Keyword-argument entry (<name>: <value>) being passed to clean step args.firmware_update_mode Mode (or mechanism) of out-of-band firmware update. Supported value is ilo. This is mandatory. args.firmware_images Ordered list of dictionaries of images to be flashed. This is mandatory.
Each firmware image block is represented by a dictionary (JSON), in the form:
{
'url': '<url of firmware image file>',
'checksum': '<md5 checksum of firmware image file to verify the image>',
'component': '<device on which firmware image will be flashed>'
}
All the fields in the firmware image block are mandatory.
Note
This feature assumes that while using file url scheme the file path is on the conductor controlling the node.
Different firmware components that can be updated are: ilo, cpld, power_pic, bios and chassis.
The firmware images will be updated in the order given by the operator. If there is any error during processing of any of the given firmware images provided in the list, none of the firmware updates will occur. The processing error could happen during image download, image checksum verification or image extraction. The logic is to process each of the firmware files and update them on the devices only if all the files are processed successfully. If, during the update (uploading and flashing) process, an update fails, then the remaining updates, if any, in the list will be aborted. But it is recommended to triage and fix the failure and re-attempt the manual clean step update_firmware for the aborted firmware_images.
The devices for which the firmwares have been updated successfully would start functioning using their newly updated firmware.
As a troubleshooting guidance on the complete process, check Ironic conductor logs carefully to see if there are any firmware processing or update related errors which may help in root causing or gain an understanding of where things were left off or where things failed. You can then fix or work around and then try again. A common cause of update failure is HPE Secure Digital Signature check failure for the firmware image file.
To compute md5 checksum for your image file, you can use the following command:
$ md5sum image.rpm
66cdb090c80b71daa21a67f06ecd3f33 image.rpm
The inband RAID functionality is now supported by iLO drivers. See RAID Configuration for more information.
To create an agent ramdisk with Proliant Hardware Manager, use the proliant-tools element in DIB:
disk-image-create -o proliant-agent-ramdisk ironic-agent fedora proliant-tools