Enable Automated Ironic Cleaning

openstack Nov 13, 2016

Enabling the Ironic Automated cleaning in OpenStack-Ansible is recommended for every deployment. While this is an "optional" setting, it should be enabled for general stability and data security; if you're not familiar with the Ironic cleaning service please review the documentation found here. Sadly the automated cleaning service can not be enabled by default because it requires access to a Neutron tenant network, which is not created for you by OpenStack-Ansible. However, the cleaning service can easily be enabled after the completion of the initial deployment.

To enable the cleaning service edit the file /etc/openstack_deploy/user_variables.yml adding the following:

# This is setup for the cleaning network. This must be configured as a post deployment step as
#  it requires the UUID of the cleaning netowrk.
    cleaning_network_uuid: "UUID_OF_NEUTRON_TENANT_NETWORK"
    automated_clean: true
    shred_random_overwrite_iterations: 0
    shred_final_overwrite_with_zeros: false
    continue_if_disk_secure_erase_fails: false
    power_off_after_deploy_failure: true
    default_boot_option: local

Now, if you've not done so already, create a tenant network for use with Ironic.

Finally run openstack-ansible os-ironic-install.yml --tags ironic-config. Once the command has finished, Ironic will automatically clean all nodes as they're enrolled or released back to the node pool.

Kevin Carter

I'm me! Principal Engineer, Developer, Operator, Cloud Builder, Lover of Open Source, and hater of Nonsense (I know they're all related). My ramblings are my own.