Metal Provisioning Overview
Bridge provisions bare metal servers (compute nodes) using Canonical MaaS (Metal as a Service) or BCM (Bridge Cluster Manager) over the Out-of-Band (OOB) management network. Once provisioned, servers are prepared with the GPU software stack and registered in the Bridge catalog, ready for tenant allocation.
Provisioning Methods
| Method | Tool | How It Works |
|---|---|---|
| Canonical MaaS | MaaS micro-service | Redfish-based discovery, DHCP/TFTP OS deployment via OOB |
| BCM | Bridge Cluster Manager | Alternative provisioning backend |
| CSV Import | Manual | Upload server details via CSV file — no network discovery needed |
For large deployments, MaaS or BCM provides automated discovery and commissioning. For smaller deployments or when server details are already known, CSV import is simpler.
Day 0 Provisioning Sequence
Discovery and Commissioning
- Configure DHCP and TFTP — Bridge configures the TFTP server with OS images and the DHCP server for PXE boot, enabling network-based OS installation.
- Redfish discovery — Bridge uses Redfish (BMC API) to discover compute nodes over the OOB network. This retrieves the in-band interface MAC address and BMC credentials for each server.
- Fetch hardware details — Bridge queries each server for PCIe device details and other hardware properties (GPU model, memory, NIC type).
- Commission server — Bridge commissions the server in MaaS/BCM, which deploys the OS via PXE boot over the OOB network.
- Populate catalog — Discovered hardware properties are used to create metal and VM flavors in the Bridge catalog.
Post-Provisioning Preparation
After the OS is installed, Bridge prepares each server for GPU workloads:
| Preparation Step | Purpose |
|---|---|
| CUDA libraries | Enable GPU compute workloads |
| MOFED (Mellanox OFED) stack | Enable RDMA networking (RoCE, InfiniBand) |
| Kernel modules | Load required GPU and NIC drivers |
For VM-based deployments, Bridge additionally configures the host for KVM virtualization:
| Configuration | Purpose |
|---|---|
intel_iommu=on | Enable IOMMU for PCIe device passthrough |
| PCIe GPU passthrough | Assign GPU directly to VM |
| Compute NIC passthrough | 1:1 mapping between GPUs and compute NICs |
| Macvlan virtual NIC | Converged network access for VMs |
Security and Isolation
OOB Network Isolation
All provisioning traffic is carried on the OOB management network, which is isolated from tenant compute and converged networks. Tenant access is not granted until network isolation is fully configured.
Compute Deallocation
When a tenant's compute allocation is revoked, Bridge wipes the server disk via MaaS or BCM — writing patterns to ensure no tenant data remains before the server is returned to the free pool.
For VMs, the VM disk is similarly wiped upon deletion.
Metal Provisioning with BF3
For servers equipped with BlueField-3 DPUs in Zero Trust mode, the provisioning sequence differs. The host OS is provisioned through the DPU rather than directly via MaaS over the OOB network. See BlueField-3 (BF3) for the full DPU provisioning flow.
Related Pages
- Secure and Measured Boot — DPU-based secure boot and firmware validation
- Hardware Attestation — Hardware integrity verification
- BlueField-3 (BF3) — DPU-based provisioning for zero-trust deployments
- Import Infrastructure — CSV-based server onboarding as an alternative to discovery