Hello OpenStack Community,

I am currently working with OpenStack Ironic for provisioning bare metal servers and facing a specific challenge related to network security and automation. I would appreciate any insights or experiences you could share!

We use Ironic to provision bare metal servers, which involves utilizing a management VLAN during the PXE boot and initial OS installation process. Post-provisioning, the server’s management interface remains accessible, posing a security risk as it can potentially access the management network. I need to ensure that once a server is provisioned and handed over to a user, it cannot access the management VLAN until it is deprovisioned.

1. How can we automate the process of removing the management VLAN from the server’s network interface post-provisioning to prevent unauthorized access to the management network?

2. Upon server deprovisioning, how can we automatically re-enable the management VLAN to allow for server re-provisioning?

3. Are there any built-in OpenStack tools or common practices within the Ironic or larger OpenStack community to handle such scenarios?

Our goal is to maintain a high level of automation and self-service capability in our OpenStack environment while ensuring rigorous network security standards. Solutions that integrate seamlessly with OpenStack’s existing architecture would be ideal.

Thank you for your time and help!

Best regards,

Haja, Joel