This guide is the single Day 0 reference for IP address management and in-band/out-of-band network configuration for a NICo deployment. It walks an operator through every IP pool that must exist, how DHCP and DNS are served, and how to verify each piece end-to-end. Follow this page once during initial site bring-up; subsequent host ingestion and tenant operations rely on the configuration described here.
The values here are entered into the siteConfig TOML block of helm-prereqs/values/ncx-core.yaml (see Quick Start Guide, Step 3c) and into your site DNS and DHCP relay infrastructure. This page does not replace per-topic references — it consolidates them in the order an operator needs them. Sizing formulas, switch configuration, and BMC ingestion details are linked rather than duplicated.
Before configuring the items on this page, complete:
This page assumes the underlay and overlay routing decisions described in those pages have already been made.
NICo consumes IP addresses from three distinct sources:
Plan capacity for all pools before running setup.sh. Pools can be grown at runtime without a restart, but an exhausted pool blocks the next provisioning operation immediately. A 20–25% headroom margin over expected peak allocation is a reasonable default.
For per-pool sizing formulas (servers, DPUs, VPCs, instance types), see Network Prerequisites — IP Address Pools.
NICo defines two named loopback pools in the [pools.<name>] section of siteConfig:
Define each pool with either a prefix or one or more ranges. Providing both, or neither, prevents the API server from starting.
For pool semantics, runtime inspection (admin-cli resource-pool list), and the grow operation, see IP Resource Pools.
Note: Tenant workload IPs (the addresses an instance sees on its NICs) are not managed through these pools.
The host OS on each site controller node receives its primary IP from the parent datacenter (typically via DHCP). NICo does not assign or manage the site controller’s host OS IP.
For each site controller node that participates in DPU mode, a single /31 point-to-point subnet is allocated between the host OS and the DPU PF representor. These IPs are statically assigned at OS install time — not by NICo and not by the parent datacenter DHCP server. One /31 per site controller node (with DPUs) is required; nodes without DPUs need only one host IP.
For managed hosts (ingested machines), the host OS IP comes from the admin network until the host is assigned to a tenant:
carbide-api and pushed to the host via DHCP.[networks.<name>]; each managed host sources its admin IP from whichever segment matches.The admin network is defined in the [networks.admin] block of siteConfig:
Warning:
[networks.admin]prefixandgatewaymust be non-empty.carbide-apipanics at startup if either field is the empty string.
Every host BMC, DPU BMC, and DPU OOB interface needs an IP on the OOB management network. NICo supports two modes for each BMC interface:
Mixing modes within the same site is supported — each host can use whichever mode is convenient.
Per node, expect to allocate:
So a host with one DPU consumes three OOB addresses; a host without DPUs consumes one.
The OOB management network is declared as one or more NICo-managed network segments in siteConfig [networks.<name>] (block names are operator-chosen). Each segment carries its own prefix, gateway, and MTU. The OOB switches must run a DHCP relay pointed at the carbide-dhcp LoadBalancer VIP — they must not assign addresses themselves. See BMC and Out-of-Band Setup for switch-side relay configuration.
For sites that require a stable, pre-known BMC IP per host (for example, to wire DNS records or firewall rules before ingestion), set bmc_ip_address in the expected_machines.json manifest:
When bmc_ip_address is present:
carbide-api at manifest upload time.carbide-dhcp does not draw from the dynamic OOB pool for that host.siteConfig [networks.<name>], and it must not overlap any range used by the dynamic pool for that segment.For the full expected_machines.json schema and upload command, see Ingesting Hosts.
carbide-dhcp Workscarbide-dhcp is not a standalone DHCP daemon. It is a Kea DHCP hooks library (cdylib) loaded into the upstream Kea v4 server inside the carbide-dhcp container. Every DHCPDISCOVER/REQUEST is intercepted by the hooks library and forwarded to carbide-api over mTLS gRPC (the discover_dhcp RPC). carbide-api decides what address to lease based on:
expected_machines with a bmc_ip_address (predefined allocation).carbide-api consults the corresponding network segment pool and allocates the next free address.The hook callouts (lease4_select and lease4_renew) overwrite the lease that Kea would have selected — yiaddr, valid lifetime, and DHCP options are replaced with the values carbide-api produced, and the hook can return SKIP to cancel Kea’s own lease assignment and database write. The result is written to Kea’s memfile (kea-leases4.csv), but the authoritative record lives in carbide-api. From an operator perspective this means:
carbide-api’s database, not in Kea’s lease file.expected_machines.json and siteConfig network segments.carbide-api is unreachable, the hooks library serves cached negative responses (negative cache TTL: 5 minutes); this is a degraded-mode safety net, not a fallback pool.All three interface types are served by the same carbide-dhcp instance. What distinguishes them at the wire level is which network segment the relayed request lands in — carbide-api selects the segment by matching the relay’s giaddr against the gateway field of each [networks.<name>] block in siteConfig:
Each [networks.<name>] block declares:
A real site declares one admin segment and one underlay segment per OOB-facing TOR; the OOB management network is fragmented across as many underlay blocks as there are TORs.
To configure these flows:
siteConfig. Use the schema above. The admin segment is not a singleton — a site may declare multiple admin/management segments, and the host’s IP is sourced from whichever segment’s gateway matches the relay’s giaddr on the inbound DHCP request.carbide-dhcp LoadBalancer VIP (the IP assigned to the carbide-dhcp service by MetalLB in Quick Start Step 3h). The relay must be on the same L2 broadcast domain as the BMCs and DPUs it serves.expected_machines.json with bmc_ip_address populated before the host first powers on. Uploading after the BMC has already received a dynamic lease will not retroactively change its IP — release the lease (carbide-admin-cli ... em ...) and power-cycle the BMC.dhcp_servers in siteConfig to the list of DHCP server IPs reachable from bare-metal hosts. This list is informational and is passed through to agents; it does not change how carbide-dhcp itself serves leases. May be left as [].The values that carbide-dhcp returns in DHCP options (nameservers, NTP servers, next-server, boot file, etc.) are sourced from:
carbide-dhcp Helm chart (carbide-nameserver, carbide-ntpserver, etc.) — set these to the unbound.forge (or unbound.nico, see section 3) recursive resolver VIP and your enterprise NTP server addresses.siteConfig [networks.<name>] blocks — gateway, MTU, additional routes.NTP note: NICo does not run a standalone NTP service. NTP server addresses are distributed to managed hosts via DHCP option 42, configured in the
carbide-dhcpchart Kea hook parameters (carbide-ntpserver). Point this to your enterprise NTP servers.
After deployment, validate the DHCP path end-to-end:
Confirm the carbide-dhcp service is reachable on its LoadBalancer VIP:
Both EXTERNAL-IP and TYPE=LoadBalancer must be populated. A <pending> IP indicates a MetalLB issue — see Reference Installation — MetalLB troubleshooting.
Tail carbide-dhcp logs while a BMC powers on:
Each DISCOVER should produce a log line showing the source MAC, the resolved segment, and either a leased address or a discover_dhcp gRPC error from carbide-api. A DeadlineExceeded or Unavailable error means the hook cannot reach carbide-api; check the carbide-api LoadBalancer and TLS material.
Inspect Kea’s lease file to confirm a lease was committed:
The lease IP and MAC should match what carbide-api allocated. The lease file is authoritative for Kea only — carbide-api is the system of record.
From the OOB relay’s vantage point, verify packets are being forwarded by checking the switch’s relay statistics (show ip dhcp relay statistics on Cumulus / SONiC). DISCOVER packets sent should match OFFER packets received.
For DHCP-related stuck states during ingestion, see the WaitingForNetworkConfig playbook.
NICo’s DNS layer has two distinct pieces:
These two roles are independent. Managed machines never query carbide-dns directly — they query the recursive resolver, which forwards or recurses as needed.
carbide-dns Zones and What They Servecarbide-dns serves the site’s authoritative zones from carbide-api’s database. It can run in either of two modes — pick one at deploy time:
Both modes resolve the same records from the same source — the difference is only whether PowerDNS sits in front. Production deployments use both: choose based on whether you already operate PowerDNS at your site or prefer one fewer process to manage. The rest of this page applies to either mode.
The zones served are seeded by the initial_domain_name field in siteConfig (for example, mysite.example.com). On first start, carbide-api creates the corresponding domain record; carbide-dns then exposes whatever records exist in that zone in carbide-api’s database.
UFM endpoints under default.ufm.<initial_domain_name> are one example of records served this way when InfiniBand is configured (see InfiniBand Setup).
Operators do not edit carbide-dns zone files directly. Zone content is a function of carbide-api’s database state.
To configure carbide-dns:
initial_domain_name in siteConfig to your site’s DNS domain.carbide-dns Deployment / StatefulSet accordingly — set or omit --listen on the binary’s command line, and include or exclude PowerDNS from the pod spec.perPodAnnotations; see Quick Start Step 3h). In PowerDNS mode this is the PowerDNS service; in standalone mode it is the carbide-dns service.initial_domain_name zone from your upstream DNS to those VIPs, or configure your recursive resolver to forward queries for the zone to them.unbound Recursive Resolver for Managed MachinesManaged machines (host OS, DPU OS, host BMCs, DPU BMCs) need a recursive resolver that can resolve both the site-internal NICo service zone and external names. NICo deploys an unbound instance for this purpose.
The resolver address is distributed to managed machines via DHCP option 6, set in the carbide-dhcp Kea hook parameter carbide-nameserver. Managed machines have no compiled-in resolver address — changing the resolver is a DHCP configuration change, not a rebuild.
The resolver is responsible for:
.forge, .nico, or whichever convention your deployment uses; see below).carbide-dns for the site domain configured in initial_domain_name.To configure unbound:
local_data.conf ConfigMap consumed by the unbound Helm chart with one A record per service VIP (see section 3.3).initial_domain_name pointing at the carbide-dns VIPs.unbound image) unless your site is fully air-gapped.The unbound pod auto-reloads when the ConfigMap changes.
.forge DNS Service EndpointsA fixed set of NICo service hostnames are resolved by DPU agents, host PXE loaders, and other in-band management components at runtime. Several of these names are compiled into binaries or embedded shell scripts and cannot be overridden via config — DNS is the only way to redirect them.
Two TLD conventions exist:
.forge is the compiled default in crates/agent/src/util.rs and the host PXE loader scripts. The agent resolves carbide-pxe.forge, carbide-ntp.forge, etc. at startup. This is the TLD used by deployments built from the current binaries..nico is the rebranded TLD documented in deploy/DNS.md. New deployments may use this convention, but only if the agent and PXE images have been rebuilt with the new TLD.Choose the convention that matches your binaries — do not mix. Verify by checking what the agent actually resolves at startup (kubectl exec -n forge-system <agent-pod> -- getent hosts carbide-pxe.forge or the .nico equivalent).
The required A records (shown for .forge; substitute .nico if your binaries use it) are:
One additional .forge hostname, socks.forge, is hardcoded into the DPU agent as the SOCKS5 outbound proxy for DPU extension-service pods. Add a corresponding A record only if your environment runs a SOCKS5 proxy for that purpose; it is not part of every NICo deployment. For per-endpoint detail (consumers, in-cluster addresses, hardcode locations, and the unbound-vs-other-resolver guidance), see deploy/DNS.md. That file is the canonical endpoint reference; the table above is the operator-facing summary.
Note: Neither
.forgenor.nicois a publicly registered TLD. Both are used exclusively on the isolated OOB management network. Configure the recursive resolver to treat the chosen TLD as locally authoritative and not forward queries to upstream public resolvers.
From the site controller, confirm carbide-dns is responding:
From an OOB-network vantage point (a host BMC console, a managed host’s BMC web UI shell, or any client on the OOB network), confirm the service zone resolves:
Substitute .nico if that is the TLD baked into your binaries. Every name must return a non-empty A record set; a FAILED or empty result means the local_data.conf ConfigMap is missing that record. If your environment also runs a SOCKS5 proxy, extend the loop with socks.forge.
Confirm reachability on the expected ports:
A successful external recursion via unbound.forge confirms both DHCP option 6 (clients learn the resolver) and unbound’s recursion policy are correct.
Use this checklist as the final gate before powering on the first host BMC:
siteConfig [pools.lo-ip] and [pools.vpc-dpu-lo] populated with non-empty ranges.siteConfig [networks.admin] has non-empty prefix and gateway.[networks.<name>], sized for 1 + 2 × DPU_count IPs per host.initial_domain_name set in siteConfig.dhcp_servers set in siteConfig (or left as []).expected_machines.json uploaded for every host; bmc_ip_address populated for any host that needs a predefined BMC IP.carbide-dhcp LoadBalancer VIP.carbide-api, carbide-dhcp, carbide-pxe, carbide-dns (one per replica), carbide-ssh-console-rs, and unbound.unbound’s local_data.conf ConfigMap contains A records for carbide-api, carbide-pxe, carbide-static-pxe, carbide-ntp, unbound, and otel-receiver in the .forge (or .nico) zone; the carbide-ntp record points to your operator-supplied NTP server.carbide-dns zone for initial_domain_name is delegated from upstream DNS, or unbound forwards the zone to the carbide-dns VIPs.unbound.forge resolves every NICo service hostname (verified with the dig loop in section 3.4).carbide-dhcp logs show DISCOVER → OFFER for a test BMC power-on.When every item is checked, proceed to Ingesting Hosts.
lo-ip / vpc-dpu-lo semantics, sizing, admin-cli resource-pool grow.carbide-api.expected_machines.json schema and upload commands.deploy/DNS.md — canonical reference for NICo service hostnames, ports, and hardcoded-vs-configurable status.