RFC: reducing the number of architectures in ironic-image

[Dmitry Tantsur]

Hi folks,

I think I've raised this topic in the past, but I believe it won't hurt to reiterate and maybe come to a final agreement. TL;DR ironic-image is a mess, and I would like to dramatically simplify it.

There are several ways to deploy Ironic now:

1) Without TLS: just Ironic

2) Without or without TLS: Ironic API under mod_wsgi + Conductor via RPC

3) With TLS: TLS via httpd + Ironic via localhost and a private port

4) With TLS: TLS via httpd + Ironic via a unix socket

I want to drop 2 and 3. The mod_wsgi approach was never a good choice for us (alone its RAM impact is very unfortunate), we just did not have anything better until the all-in-one executable. JSON RPC cannot be run as WSGI anyway.

As to unix sockets, we have run with them in OpenShift for a couple of releases already without any issues. I find allocating a private port for the metal3 pod annoying especially since it runs with host networking (so this port may conflict with anything on control plane nodes). I've recently added unix sockets support to JSON RPC, so we now can use the same approach to TLS there.

The end result I'd like to see is:

1) No TLS - just all-in-one Ironic (and the RPC if needed).

2) TLS - Ironic (and its RPC if needed) on a unix socket, httpd as a frontend.

Does anyone have any use cases I'm missing? Any opinions? If you agree, how do we approach the deprecation process?

Dmitry

P.S.

This conversation only affects operators that use ironic-image.

--

Red Hat GmbH, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany  
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross

[Ádám Rozmán]

Hi Dmitry,

Recently I was looking into the TLS landscape of the Metal3 partially because I was updating some related documents in Nordix (if someone is interested : PR) partially because of some downstream questions. As a result of my small investigation, I fully agree with you that option 1 and 4 are the desired operational modes.

BR,
Adam

---

From: metal...@googlegroups.com <metal...@googlegroups.com> on behalf of Dmitry Tantsur <dtan...@redhat.com>
Sent: Friday, January 5, 2024 5:10 PM
To: Metal3 Development List <metal...@googlegroups.com>
Subject: [metal3-dev] RFC: reducing the number of architectures in ironic-image

 

--
You received this message because you are subscribed to the Google Groups "Metal3 Development List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to metal3-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/metal3-dev/CACNgkFyyw2HkhMeHT6O%3DNRSViJZ9AZSr6anL2CkBji0%2B6EobwA%40mail.gmail.com.

[Dmitry Tantsur]

Okay, how do we want to proceed? I'm somewhat inclined to just remove the code because we don't have a reasonable deprecation process for ironic-image... or do we?

Dmitry

[Riccardo Pittau]

Hi all,

I'm planning another release of the ironic-image for next week since we have new bugfix branches in ironic upstream.
Considering that we don't have a deprecation policy, let's wait for the new release and then just remove the code?

Ciao
Riccardo

To view this discussion on the web visit https://groups.google.com/d/msgid/metal3-dev/CACNgkFy3GBXzvW6n8ihs5Z9kstBQNjfCoHfGOOSXen-3cthEGQ%40mail.gmail.com.

[Dmitry Tantsur]

Good plan Riccardo. I'll try to understand the exact scope of the deprecation and write an email here.

Dmitry

[Dmitry Tantsur]

Hi folks,

I finally had time to follow-up on this conversation. What https://github.com/metal3-io/ironic-image/pull/487 does is:

1) Remove scripts to run ironic API and conductor separately

2) Remove support for running ironic API under mod_wsgi

3) Deprecate IRONIC_DEPLOYMENT variable in favour of the existing IRONIC_EXPOSE_JSON_RPC

3) Remove support for running JSON RPC without authentication.

Please speak up as soon as possible if these changes may break your deployment.

Dmitry