Enable Automated Ironic Cleaning

Enable Automated Ironic Cleaning

Enabling the Ironic Automated cleaning in OpenStack-Ansible is recommended for every deployment. While this is an "optional" setting, it should be enabled for general stability and data security; if you're not familiar with the Ironic cleaning service please review the documentation found here. Sadly the automated cleaning service can not be enabled by default because it requires access to a Neutron tenant network, which is not created for you by OpenStack-Ansible. However, the cleaning service can easily be enabled after the completion of the initial deployment.

To enable the cleaning service edit the file /etc/openstack_deploy/user_variables.yml adding the following:

# This is setup for the cleaning network. This must be configured as a post deployment step as
#  it requires the UUID of the cleaning netowrk.
    cleaning_network_uuid: "UUID_OF_NEUTRON_TENANT_NETWORK"
    automated_clean: true
    shred_random_overwrite_iterations: 0
    shred_final_overwrite_with_zeros: false
    continue_if_disk_secure_erase_fails: false
    power_off_after_deploy_failure: true
    default_boot_option: local

Now, if you've not done so already, create a tenant network for use with Ironic.

Finally run openstack-ansible os-ironic-install.yml --tags ironic-config. Once the command has finished, Ironic will automatically clean all nodes as they're enrolled or released back to the node pool.