metal3-io · mchiappero · Jul 24, 2025 · Nov 13, 2025 · Jul 23, 2025 · Jul 23, 2025
diff --git a/README.md b/README.md
@@ -55,6 +55,12 @@ functionality:
    `PROVISIONING_MACS` is provided)
 - `PROVISIONING_IP` - the specific IP to use (instead of calculating it based on
   the `PROVISIONING_INTERFACE`)
+- `IRONIC_URL_HOSTNAME` - a fully qualified name resolving to an IPv4 and/or IPv6
+  address, used for both binding and forming the required URLs; for the latter
+  purpose only, it can be used in combination with `PROVISIONING_INTERFACE`, which
+  would instead be used for the former. If the hostname has both IPv4 and IPv6
+  records, and both addresses are correctly assigned on the same network interface,
+  `IRONIC_URL_HOSTNAME` enables a dual-stack ironic image configuration.
 - `DNSMASQ_EXCEPT_INTERFACE` - interfaces to exclude when providing DHCP address
   (default `lo`)
 - `HTTP_PORT` - port used by http server (default `80`)

diff --git a/ironic-config/apache2-ipxe.conf.j2 b/ironic-config/apache2-ipxe.conf.j2
@@ -1,4 +1,5 @@
-Listen {{ env.IPXE_TLS_PORT }}
+Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
+Listen [::]:{{ env.IPXE_TLS_PORT }}
 
 <VirtualHost *:{{ env.IPXE_TLS_PORT }}>
     ErrorLog /dev/stderr

diff --git a/ironic-config/apache2-vmedia.conf.j2 b/ironic-config/apache2-vmedia.conf.j2
@@ -1,4 +1,5 @@
-Listen {{ env.VMEDIA_TLS_PORT }}
+Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
+Listen [::]:{{ env.VMEDIA_TLS_PORT }}
 
 <VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
     ErrorLog /dev/stderr

diff --git a/ironic-config/httpd-ironic-api.conf.j2 b/ironic-config/httpd-ironic-api.conf.j2
@@ -12,11 +12,21 @@
 
 
 {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.IRONIC_LISTEN_PORT }}
+Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
+Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
  <VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
- <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
+{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
+{% endif %}
+{% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
+<VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
+{% else %}
+<VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
+{% endif %}
 {% endif %}
 
     DocumentRoot "/shared/html"

diff --git a/ironic-config/httpd.conf.j2 b/ironic-config/httpd.conf.j2
@@ -1,8 +1,14 @@
 ServerRoot {{ env.HTTPD_DIR }}
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.HTTP_PORT }}
+Listen 0.0.0.0:{{ env.HTTP_PORT }}
+Listen [::]:{{ env.HTTP_PORT }}
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
+{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
+{% endif %}
 {% endif %}
 Include /etc/httpd/conf.modules.d/*.conf
 User apache

diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2
@@ -25,7 +25,13 @@ rpc_transport = none
 use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
+{% if env.ENABLE_IPV4 %}
 my_ip = {{ env.IRONIC_IP }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+my_ipv6 = {{ env.IRONIC_IPV6 }}
+{% endif %}
+
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
 
 # If a path to a certificate is defined, use that first for webserver
@@ -68,7 +74,7 @@ port = {{ env.IRONIC_PRIVATE_PORT }}
 {% endif %}
 public_endpoint = {{ env.IRONIC_BASE_URL }}
 {% else %}
-host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
+host_ip = {{ env.IRONIC_HOST_IP }}
 port = {{ env.IRONIC_LISTEN_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 enable_ssl_api = true
@@ -186,7 +192,7 @@ cipher_suite_versions = 3,17
 # containers are in host networking.
 auth_strategy = http_basic
 http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
-host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
+host_ip = {{ env.IRONIC_HOST_IP }}
 port = {{ env.IRONIC_JSON_RPC_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true

diff --git a/main-packages-list.txt b/main-packages-list.txt
@@ -12,3 +12,4 @@ sqlite
 syslinux-nonlinux
 util-linux
 xorriso
+bind-utils
diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh
@@ -49,6 +49,14 @@ export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
 
 wait_for_interface_or_ip
 
+if [[ "$(echo "${LISTEN_ALL_INTERFACES}" | tr '[:upper:]' '[:lower:]')" == "true" ]]; then
+    export IRONIC_HOST_IP="::"
+elif [[ -n "${ENABLE_IPV6}" ]]; then
+    export IRONIC_HOST_IP="${IRONIC_IPV6}"
+else
+    export IRONIC_HOST_IP="${IRONIC_IP}"
+fi
+
 # Hostname to use for the current conductor instance.
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
 
@@ -130,4 +138,11 @@ render_j2_config "/etc/ironic/ironic.conf.j2" \
 configure_json_rpc_auth
 
 # Make sure ironic traffic bypasses any proxies
-export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
+export NO_PROXY="${NO_PROXY:-}"
+
+if [[ -n "${IRONIC_IPV6}" ]]; then
+    export NO_PROXY="${NO_PROXY},${IRONIC_IPV6}"
+fi
+if [[ -n "${IRONIC_IP}" ]]; then
+    export NO_PROXY="${NO_PROXY},${IRONIC_IP}"
+fi