# Openstack Ussuri ## Introduction * Currently, all of our services are running kubernetes on VMs. * There are several pros and cons when it comes to running kubernetes on VMs * Pros * Enables isolation among applications that run on different VMs. * A consistent software environment be created by running similar apps on the same VM. * Cons * Persistent storage on bare metal are way more difficult. * No dynamic resource utilization. * No failure recovery. * No fleet management. ## Introduction to Openstack * OpenStack is a software for building and managing cloud-computing platforms for public and private clouds. * OpenStack is used to deploy virtual machines and other instances that handle different tasks for managing a cloud environment. * OpenStack is an **IaaS**. * OpenStack is managed by the OpenStack Foundation. * Openstack is open source infrastructure, license under **Apache License, Version 2.0 **. ## Services These key services are described in detail as. * **Keystone** provides identity services and manage list of all the users and services as well as their access control. * **Glance** provides image services to OpenStack. In this case, "images" refers to images (or virtual copies) of hard disks. * **Nova** is a computing engine used for deploying and managing large numbers of virtual machines. * **Neutron** provides the networking capability of the cloud. * **Cinder** is a block storage component. It is capable of accessesing specific disk devices in the cloud. * **Horizon** is the dashboard as well as the only Restful API of Openstack. * **Heat** allows developers to store the configuration file of a service that defines what resources are needed for the application. ## Installation ### Network Setting On **Controller** Node in `/etc/hosts` (`localhost` is needed to deal with some problems with rabbitmq) ``` # controller 192.168.72.145 localhost controller # compute1 192.168.72.247 compute1 ``` On **Compute1** Node In `/etc/hosts` ``` # controller 192.168.72.145 controller # compute1 192.168.72.247 compute1 ``` On **Controller** & **Compute1** Node In `/etc/sysconfig/network-scripts/ifcfg-enp1s0` ``` TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="dhcp" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="enp1s0" DEVICE="enp1s0" ONBOOT="yes" ``` In `/etc/sysconfig/network-scripts/ifcfg-enp7s0` ``` TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="dhcp" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="enp7s0" DEVICE="enp7s0" ONBOOT="yes" ``` ### NTP Setting Installation ```bash dnf install chrony ``` On **Controller** Node, In `/etc/chrony.conf ` add ``` pool tw.pool.ntp.org iburst allow 192.168.72.0/24 # serve as ntp server to compute node ``` and comment out ``` #pool 2.centos.pool.ntp.org iburst ``` On **Compute1** Node, In `/etc/chrony.conf ` add ``` server controller iburst ``` and comment out ``` #pool 2.centos.pool.ntp.org iburst ``` Restart NTP Server ```bash systemctl restart chronyd ``` Check that NTP is working correctly ```bash chronyc sources ``` ### Prerequisites #### Openstack environment Install for both **Controller** and **Compute1** ```bash dnf install centos-release-openstack-ussuri dnf config-manager --set-enabled PowerTools dnf install https://www.rdoproject.org/repos/rdo-release.el8.rpm dnf upgrade dnf install python3-openstackclient ``` #### Disable SELinux On both **Controller** and **Compute1**, edit `/etc/selinux/config` ``` SELINUX=permissive ``` restart ```bash reboot ``` #### Mariadb ```bash dnf install mariadb mariadb-server python3-PyMySQL ``` Create and edit `/etc/my.cnf.d/openstack.cnf` as follows ``` [mysqld] bind-address = <your ip address> default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 ``` Start and enable mariadb server ```bash systemctl enable mariadb systemctl start mariadb ``` Install mariadb ```bash mysql_secure_installation ``` #### RabbitMQ Install rabbitmq ```bash dnf install rabbitmq-server ``` Enable & start rabbitmq ``` systemctl enable rabbitmq-server.service systemctl start rabbitmq-server.service ``` Add openstack user ```bash rabbitmqctl add_user openstack $RABBIT_PASS ``` Permit configuration, write, and read access for the openstack user: ```bash rabbitmqctl set_permissions openstack ".*" ".*" ".*" ``` #### Memcached Install memcached ```bash dnf install memcached python3-memcached ``` #### Etcd Install etcd ```bash dnf install etcd ``` Edit `/etc/etcd/etcd.conf` ``` #[Member] ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="http://192.168.72.145:2380" ETCD_LISTEN_CLIENT_URLS="http://192.168.72.145:2379" ETCD_NAME="controller" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.72.145:2380" ETCD_ADVERTISE_CLIENT_URLS="http://192.168.72.145:2379" ETCD_INITIAL_CLUSTER="controller=http://192.168.72.145:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01" ETCD_INITIAL_CLUSTER_STATE="new" ``` ### Keystone * Identity service provided by Openstack. * Single point of integration for authentication, service catalog, and so on. * Endpoint can be of three types: admin, internal, public. * Keystone is the first service that a user interacts with. Once authenticated, the user can use their identity to access other OpenStack services' endpoint. #### Components 1. Centralized server: It provides authentication and authorization services using RESTful API. 2. Drivers: It is a service back-end integrated to the centralized server. They are used for accessing identity information in repositories external to OpenStack. Ex: a SQL databases. 3. Middleware modules: They intercept service requests, extract user credentials, and send them to the centralized server for authentication. #### Installation Connect to the mariadb server: ```bash mysql -u root -p ``` Create the *keystone* database: ```sql CREATE DATABASE keystone; ``` Grant proper access to the *keystone* database ```sql GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; ``` Install keystone along with apache server: ```bash dnf install openstack-keystone httpd python3-mod_wsgi ``` Edit `/etc/keystone/keystone.conf`: In the [database] section, configure database access: ``` [database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone ``` configure the Fernet token provider: ``` [token] ... provider = fernet ``` Populate the identity service database: ```bash su -s /bin/sh -c "keystone-manage db_sync" keystone ``` Initialize fernet key repository: ```bash keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone ``` Bootstrap the identity service (Change ADMIN_PASS to your own password): ```bash keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id mcnlab ``` Configure the http server: ```bash sudo echo "ServerName controller" >> /etc/httpd/conf/httpd.conf ``` Create symbolic link to the `/usr/share/keystone/wsgi-keystone.conf` file ```bash ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ ``` Enable & start the http server: ```bash systemctl enable httpd.service systemctl start httpd.service ``` Writh the following environment to `admin-openrc`: ```bash export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ``` Now, create a project called `service` (Used for providing service) ```bash openstack project create --domain default --description "Service Project" service ``` **Verification** ```bash openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue ``` #### Basic Keystone usage domain create ```bash openstack domain create --description "description" <domain> ``` List all domain ```bash openstack domain list ``` Delete domain(s) ```bash openstack domain delete <domain> ``` #### Documentation [More information](https://docs.openstack.org/keystone/latest/) ### Glance #### Concept * Glance is an image providing service. * It enables users to discover, register, and retrieve virtual machine images. * Offers REST API that enables user to query virtual machine image metadata and retrieve an actual image. * Components * glance-api: Accepts API calls for image discovery, retrieval, and storage. * glance-registry: Stores, processes, and retrieves metadata about images * Database: Stores image metadata. #### Installation Connect to the mariadb server: ```bash mysql -u root -p ``` Create the *glance* database: ```sql CREATE DATABASE glance; ``` Grant proper access to the *keystone* database ```sql GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'GLANCE_DBPASS'; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'GLANCE_DBPASS'; ``` Credentials, endpoints & services ```bash openstack user create --domain default --password-prompt glance openstack role add --project service --user glance admin openstack service create --name glance --description "OpenStack Image" image openstack endpoint create --region mcnlab image public http://controller:9292 openstack endpoint create --region mcnlab image internal http://controller:9292 openstack endpoint create --region mcnlab image admin http://controller:9292 ``` Install glance package ```bash dnf install openstack-glance ``` Edit `/etc/glance/glance-api.conf` ``` [database] # ... connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance ... [keystone_authtoken] # ... www_authenticate_uri = http://controller:5000 auth_url = http://controller:5000 memcached_servers = controller:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = glance password = GLANCE_PASS ... [paste_deploy] # ... flavor = keystone service_token_roles_required = true ... [glance_store] # ... stores = file,http default_store = file filesystem_store_datadir = /var/lib/glance/images/ ``` Synchronize database ```bash su -s /bin/sh -c "glance-manage db_sync" glance ``` Start and enable glance service ```bash systemctl enable openstack-glance-api.service systemctl start openstack-glance-api.service ``` #### Documentation [More information](https://docs.openstack.org/glance/latest/) ## nova In `/etc/httpd/conf.d/00-placement-api.conf` add ```xml <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> ``` Before `</Virtualhost>` (see [bug](https://bugzilla.redhat.com/show_bug.cgi?id=1434944)) ```bash su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova su -s /bin/sh -c "nova-manage db sync" nova su -s /bin/sh -c "nova-manage cell_v2 simple_cell_setup" nova ``` ## neutron ```bash modprobe br_netfilter ``` ## horizon In `/etc/openstack-dashboard/local_settings` ``` OPENSTACK_HOST = "controller" WEBROOT = '/dashboard/' ALLOWED_HOSTS = ['*'] SESSION_ENGINE = 'django.contrib.sessions.backends.cache' CACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': 'controller:11211', } } OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_API_VERSIONS = { "identity": 3, "image": 2, "volume": 3, } OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user" OPENSTACK_NEUTRON_NETWORK = { 'enable_router': False, 'enable_quotas': False, 'enable_distributed_router': False, 'enable_ha_router': False, 'enable_lb': False, 'enable_firewall': False, 'enable_vpn': False, 'enable_fip_topology_check': False, } ``` :::danger ALLOWED_HOSTS = ['*'] is not recommended. ::: In `/etc/httpd/conf.d/openstack-dashboard.conf` ``` WSGIApplicationGroup %{GLOBAL} ``` Restart the server and session storage service: ```bash systemctl restart httpd.service memcached.service ```