Power Synchronization

Baremetal Power Sync

Each Baremetal conductor process runs a periodic task which synchronizes the power state of the nodes between its database and the actual hardware. If the value of the conductor.force_power_state_during_sync option is set to true the power state in the database will be forced on the hardware and if it is set to false the hardware state will be forced on the database. If this periodic task is enabled, it runs at an interval defined by the conductor.sync_power_state_interval config option for those nodes which are not in maintenance. The requests sent to Baseboard Management Controllers (BMCs) are done with a parallelism controlled by conductor.sync_power_state_workers. The motivation to send out requests to BMCs in parallel is to handle misbehaving BMCs which may delay or even block the synchronization otherwise.

Note

In deployments with many nodes and IPMI as the configured BMC protocol, the default values of a 60 seconds power sync interval and 8 worker threads may lead to a high rate of required retries due to client-side UDP packet loss (visible via the corresponding warnings in the conductor logs). While Ironic automatically retries to get the power status for the affected nodes, the failure rate may be reduced by increasing the power sync cycle, e.g. to 300 seconds, and/or by reducing the number of power sync workers, e.g. to 2. Please keep in mind, however, that depending on the concrete setup increasing the power sync interval may have an impact on other components relying on up-to-date power states.

Compute-Baremetal Power Sync

Each nova-compute process in the Compute service runs a periodic task which synchronizes the power state of servers between its database and the compute driver. If enabled, it runs at an interval defined by the sync_power_state_interval config option on the nova-compute process. In case of the compute driver being baremetal driver, this sync will happen between the databases of the compute and baremetal services. Since the sync happens on the nova-compute process, the state in the compute database will be forced on the baremetal database in case of inconsistencies. Hence a node which was put down using the compute service API cannot be brought up through the baremetal service API since the power sync task will regard the compute service’s knowledge of the power state as the source of truth. In order to get around this disadvantage of the compute-baremetal power sync, baremetal service does power state change callbacks to the compute service using external events.

Power State Change Callbacks to the Compute Service

Whenever the Baremetal service changes the power state of a node, it can issue a notification to the Compute service. The Compute service will consume this notification and update the power state of the instance in its database. By conveying all the power state changes to the compute service, the baremetal service becomes the source of truth thus preventing the compute service from forcing wrong power states on the physical instance during the compute-baremetal power sync. It also adds the possibility of bringing up/down a physical instance through the baremetal service API even if it was put down/up through the compute service API.

This change requires the nova section and the necessary authentication options like the nova.auth_url to be defined in the configuration file of the baremetal service. If it is not configured the baremetal service will not be able to send notifications to the compute service and it will fall back to the behaviour of the compute service forcing power states on the baremetal service during the power sync. See nova group for more details on the available config options.

In case of baremetal stand alone deployments where there is no compute service running, the nova.send_power_notifications config option should be set to False to disable power state change callbacks to the compute service.

Note

The baremetal service sends notifications to the compute service only if the target power state is power on or power off. Other error and None states will be ignored. In situations where the power state change is originally coming from the compute service, the notification will still be sent by the baremetal service and it will be a no-op on the compute service side with a debug log stating the node is already powering on/off.

Note

Although an exclusive lock is used when sending notifications to the compute service, there can still be a race condition if the compute-baremetal power sync happens to happen a nano-second before the power state change event is received from the baremetal service in which case the power state from compute service’s database will be forced on the node.

Power fault and recovery

When Baremetal Power Sync is enabled, and the Bare Metal service loses access to a node (usually because of invalid credentials, BMC issues or networking interruptions), the node enters maintenance mode and its fault field is set to power failure. The exact reason is stored in the maintenance_reason field.

As always with maintenance mode, only a subset of operations will work on such nodes, and both the Compute service and the Ironic’s native allocation API will refuse to pick them. Any in-progress operations will either pause or fail.

The conductor responsible for the node will try to recover the connection periodically (with the interval configured by the conductor.power_failure_recovery_interval option). If the power sync is successful, the fault field is unset and the node leaves the maintenance mode.

Note

This only applies to automatic maintenance mode with the fault field set. Maintenance mode set manually is never left automatically.

Alternatively, you can disable maintenance mode yourself once the problem is resolved:

baremetal node maintenance unset <IRONIC NODE>